[apparmor] [patch] Fix aa_log_end_msg() in rc.apparmor.suse

Christian Boltz apparmor at cboltz.de
Thu Jul 23 22:05:43 UTC 2015 

Hello,

Am Mittwoch, 22. Juli 2015 schrieb Seth Arnold:
> On Wed, Jul 22, 2015 at 09:42:05PM +0200, Christian Boltz wrote:
> > This patch is the improved version - it adds a small helper function
> > to set $? (as handed over to aa_log_end_msg()) and then calls
> > rc_status -v.
> This is involving a fair amount of magic-at-a-distance kind of side
> effects that is usually overlooked in future maintenance efforts.
> 
> So here's a few questions, which might be difficult but I have to ask:
> 
> - Why does rcapparmor still exist on SuSE? I might have expected the
> move to systemd to remove the reason for this script to exist.

The answer basically is "because nobody wrote an apparmor.service" ;-)

Actually there is an apparmor.service, but it's just a wrapper for the 
old initscript - and the reason for this to exist at all is that it was 
a workaround to some breakage in a specific systemd version. (Fixed in 
the meantime, but for obvious reasons I'm not going to drop 
apparmor.service again.)

Basically I'm waiting for a good apparmor.service from upstream - didn't 
Ubuntu decide to switch to systemd? ;-)

> - If rcapparmor should continue to survive, is there any way to
> rewrite portions of it to involve less dependence on global
> variables?

Maybe, but I'm not too keen to do big changes to code that will die as 
soon as someone provides a good apparmor.service ;-)

> > This means that "rcapparmor kill" now shows "failed" because it's
> > impossible to unload something that is compiled directly into the
> > kernel.
> 
> "kill" should probably instead unload all the profiles. If there's a
> point for it to still exist, that is.

I'm not sure anybody is using it [1], but as long as the initscript 
exists, I'll just keep it as is. Changing behaviour is the last thing I 
want to do (well, except fixing the status and exit code it gives, which 
were obviously wrong).

BTW: I also tested with $?=0 and verified that it prints a green "done" 
in this case.

> Since this in suse-specific code, what happens here really doesn't
> influence much else. and you're in the best position to judge
> correctness, so here's: Acked-by: Seth Arnold
> <seth.arnold at canonical.com>
> for both 2.9 and trunk, but I really suspect the right answer is much
> more intrusive.

Indeed, the right answer is to write an apparmor.service, and I'd love 
to steal that from Ubuntu one day *g*


Regards,

Christian Boltz

[1] at least someone tried it some years ago - otherwise there wouldn't 
    have been that bugreport and a somehow-working patch.
    I still doubt it's used by real-world admins.

-- 
> und wie lade ich Programme ein,
Hm, ruf sie an, oder schreib ihnen ne Karte.
[> Marlies/Ullrich Velter und Manfred Tremmel in suse-linux]

More information about the AppArmor mailing list