[apparmor] AppArmor and /etc/
Simon McVittie
smcv at collabora.com
Mon Jan 8 12:37:05 UTC 2018
On Sun, 07 Jan 2018 at 16:22:49 +0100, intrigeri wrote:
> At least on Debian,
> /usr is mounted by the initramfs so IIRC this can break only systems
> that have a separate /usr filesystem *and* don't use an initramfs.
That configuration is officially no longer supported in Debian since
Debian 9 'stretch'. With an initramfs, /usr must be mounted by the
time the normal, non-initramfs init (systemd, sysvinit etc.) is exec'd;
without an initramfs, /usr must be on the root filesystem.
It's possible that a separate /usr with no initramfs might accidentally
work in some scenarios, but the system isn't guaranteed to behave
correctly (for example not all udev rules will work as intended).
A separate /var being mounted by the normal, non-initramfs init system
is still supported, and the Debian initramfs doesn't currently mount
/var. I don't know whether /var over NFS (other than as part of a NFS
root filesystem) is meant to be supported or not. If it is, AppArmor's
systemd units should probably have RequiresMountsFor=/var before moving
the cache to /var/cache.
smcv
More information about the AppArmor
mailing list