[apparmor] What's the right way to enforce program in systemd service?
Christian Boltz
apparmor at cboltz.de
Mon Aug 11 21:53:40 UTC 2014
Hello,
Am Mittwoch, 6. August 2014 schrieb Aaron Lewis:
> I add a few lines in a systemd service, does it look unnecessary to
> you? Or should I do all this after system is fully booted, that apply
> it to an already running program?
It looks unnecessary to me - the dependencies should already enforce
loading all AppArmor profiles before any daemons are started (at least
it works on openSUSE that way).
Explicitely (re)loading the profile in nscd.service is an additional
safety net to ensure the profile is really loaded. We are talking about
security, which also means additional safety nets are always welcome ;-)
As Seth already mentioned - better call apparmor_parser instead of
aa-enforce.
For better performance, check if caching is enabled ("write-cache" in
/etc/apparmor/parser.conf - on openSUSE, it's enabled by default)
That all said - currently I use the good old initscript even with
systemd. Having a systemd unit to load all profiles would be nice (and
would solve some annoying problems) - is someone interested in writing
one? ;-)
Regards,
Christian Boltz
--
[Virenscanner] Stattdessen gehört auf einen Windows-Arbeitsplatz ein
guter, selbstaktualisierender lokaler Scanner, der die Windows-Kiste so
richtig schön langsam beim Öffnen von Dateien macht, um den
Windows-Anwender zu motivieren, auf Linux umzusteigen.
[Kristian Koehntopp in suse-linux]
More information about the AppArmor
mailing list