[apparmor] What's the right way to enforce program in systemd service?

[Aaron Lewis]

Hey just to clarify why I'm doing that explicitly in the systemd profile.

Loading a bunch of profile is extremely slow so this has to run after
system boot (after X I mean, I use autologin + startx)
And in the meanwhile, some services like NetworkManager and nscd need
to be enforced before it starts.

So I had to add an ExecPre to fix that. If I don't, it would end up
"The binary has a profile defined but running unconfined" blabla


On Tue, Aug 12, 2014 at 4:23 PM, intrigeri <intrigeri at debian.org> wrote:
> Hi,
>
> Christian Boltz wrote (11 Aug 2014 21:53:40 GMT) :
>> It looks unnecessary to me - the dependencies should already enforce
>> loading all AppArmor profiles before any daemons are started (at least
>> it works on openSUSE that way).
>
> ... and, if a given system-wide daemon needs a specific profile that
> doesn't match the program's path (e.g. see system_tor in Debian), then
> systemd v210 adds support for running that service with an explicitly
> defined profile.
>
>> That all said - currently I use the good old initscript even with
>> systemd. Having a systemd unit to load all profiles would be nice (and
>> would solve some annoying problems) - is someone interested in writing
>> one? ;-)
>
> There's been discussion about it on the systemd ML ~2-3 months ago,
> and also on #apparmor at about the same time, but IIRC nobody summed
> up this discussion on the list. IIRC, Marc Deslauriers, among others,
> had interesting ideas on this topic. I think one of the key points
> here is how to early load those profiles that really need it, e.g.
> things that Ubuntu loads via Upstart (dhcp client, ntp).
>
> Cheers,
> --
> intrigeri
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor



-- 
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print:   9F67 391B B770 8FF6 99DC  D92D 87F6 2602 1371 4D33