[apparmor] [patch] Fix aa_log_end_msg() in rc.apparmor.suse
apparmor at cboltz.de
Thu Jul 23 22:05:43 UTC 2015
Am Mittwoch, 22. Juli 2015 schrieb Seth Arnold:
> On Wed, Jul 22, 2015 at 09:42:05PM +0200, Christian Boltz wrote:
> > This patch is the improved version - it adds a small helper function
> > to set $? (as handed over to aa_log_end_msg()) and then calls
> > rc_status -v.
> This is involving a fair amount of magic-at-a-distance kind of side
> effects that is usually overlooked in future maintenance efforts.
> So here's a few questions, which might be difficult but I have to ask:
> - Why does rcapparmor still exist on SuSE? I might have expected the
> move to systemd to remove the reason for this script to exist.
The answer basically is "because nobody wrote an apparmor.service" ;-)
Actually there is an apparmor.service, but it's just a wrapper for the
old initscript - and the reason for this to exist at all is that it was
a workaround to some breakage in a specific systemd version. (Fixed in
the meantime, but for obvious reasons I'm not going to drop
Basically I'm waiting for a good apparmor.service from upstream - didn't
Ubuntu decide to switch to systemd? ;-)
> - If rcapparmor should continue to survive, is there any way to
> rewrite portions of it to involve less dependence on global
Maybe, but I'm not too keen to do big changes to code that will die as
soon as someone provides a good apparmor.service ;-)
> > This means that "rcapparmor kill" now shows "failed" because it's
> > impossible to unload something that is compiled directly into the
> > kernel.
> "kill" should probably instead unload all the profiles. If there's a
> point for it to still exist, that is.
I'm not sure anybody is using it , but as long as the initscript
exists, I'll just keep it as is. Changing behaviour is the last thing I
want to do (well, except fixing the status and exit code it gives, which
were obviously wrong).
BTW: I also tested with $?=0 and verified that it prints a green "done"
in this case.
> Since this in suse-specific code, what happens here really doesn't
> influence much else. and you're in the best position to judge
> correctness, so here's: Acked-by: Seth Arnold
> <seth.arnold at canonical.com>
> for both 2.9 and trunk, but I really suspect the right answer is much
> more intrusive.
Indeed, the right answer is to write an apparmor.service, and I'd love
to steal that from Ubuntu one day *g*
 at least someone tried it some years ago - otherwise there wouldn't
have been that bugreport and a somehow-working patch.
I still doubt it's used by real-world admins.
> und wie lade ich Programme ein,
Hm, ruf sie an, oder schreib ihnen ne Karte.
[> Marlies/Ullrich Velter und Manfred Tremmel in suse-linux]
More information about the AppArmor