[apparmor] What's the right way to enforce program in systemd service?
Seth Arnold
seth.arnold at canonical.com
Mon Aug 11 18:19:25 UTC 2014
On Wed, Aug 06, 2014 at 08:41:40AM +0800, Aaron Lewis wrote:
> Hi,
>
> I add a few lines in a systemd service, does it look unnecessary to you?
> Or should I do all this after system is fully booted, that apply it to
> an already running program?
>
> "Use of uninitialized value $ENV{"TERM"} in hash element at
> /usr/lib/perl5/vendor_perl/Term/ReadLine/Gnu/XS.pm line 371." This is
> quiet annoying though
I don't know enough about systemd but one thing that looks odd, if it
works as I expect, is that there's no need to call aa-enforce before
starting a service; no one wants to drag around a whole perl or python
interpreter just to start up a service.
Calling apparmor_parser --replace /etc/apparmor.d/usr.sbin.nscd ought to
do the job significantly faster.
> # systemctl status nscd
> ● nscd.service - Name Service Cache Daemon
> Loaded: loaded (/etc/systemd/system/nscd.service; enabled)
> Active: active (running) since Wed 2014-08-06 08:34:37 CST; 22s ago
> Process: 2648 ExecStart=/usr/sbin/nscd (code=exited, status=0/SUCCESS)
> Process: 2636 ExecStartPre=/usr/sbin/aa-enforce
> /etc/apparmor.d/usr.sbin.nscd (code=exited, status=0/SUCCESS)
> Main PID: 2650 (nscd)
> CGroup: /system.slice/nscd.service
> └─2650 /usr/sbin/nscd
>
> Aug 06 08:34:36 WIN-QK6JOWSFN7 aa-enforce[2636]: Use of uninitialized
> value $ENV{"TERM"} in hash element at
> /usr/lib/perl5/vendor_perl/Term/ReadLine/Gnu/XS.pm line 371.
> Aug 06 08:34:36 WIN-QK6JOWSFN7 aa-enforce[2636]: Setting
> /etc/apparmor.d/usr.sbin.nscd to enforce mode.
> [ROOT SHELL: ~]
>
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140811/5a27b1d0/attachment.pgp>
More information about the AppArmor
mailing list