Bug#760526: Enable AppArmor support (using libapparmor)
Michael scherer
misc at zarb.org
Sun Oct 12 02:46:24 BST 2014
On Sun, Oct 12, 2014 at 02:23:22AM +0200, Michael scherer wrote:
> On Sun, Oct 12, 2014 at 01:40:29AM +0200, Michael scherer wrote:
> > So, investigating the problem.
> >
> > The issue is that :
> >
> > ReadOnlyDirectories = /
> >
> > make aa_change_onexec fail with
> >
> > Oct 11 23:22:25 test-debian systemd[1985]: Failed at step APPARMOR spawning /usr/bin/tor: Read-only file system
> >
> > ( once there is proper reporting ). I suspect the issue is upstream, with the ordering of readonly vs apparmor.
> >
> > Adding :
> >
> > ReadWriteDirectories = /proc
> >
> > Seems to fix the issue as well. I am trying to see if I can fix properly upstream by moving around
> > apparmor support in the source code.
>
> So there is a catch-22. If we set the profile before the mount, it fail with :
>
> Oct 12 00:13:40 test-debian systemd[1121]: Failed at step NAMESPACE spawning /usr/bin/tor: No such file or directory
>
> If we set it after, it fail with the previous error. I think someone need to see with upstream apparmor
> people about the proper way to do that. I will try to see on systemd-devel if someone know why it fail like this.
So after a rather long debugging seance, the problem is a false positive.
If /var/run/tor do not exist, then it fail to mount it, obviously. And I gues it
doesn't existe because /var/run is on a tmpfs, and I didn't create the proper configuration
to create it on boot.
So yeah, putting apparmor code before namespace code is the proper fix. I am gonna send it
upstream, and then up to you to decide either to backport/adapt, or to just work
around with /proc being rw.
--
Michael Scherer
More information about the Pkg-systemd-maintainers
mailing list