Hello, Am Freitag, 11. Juli 2014 schrieb Seth Arnold: > On Fri, Jul 11, 2014 at 04:36:03PM +0200, Miklos Szeredi wrote: > > I've a bug report saying that a process continues to be confined > > after the profile has been removed.
Feel free to CC me (I'm suse-beta [at] cboltz [dot] de in bnc), and I'll have a look at it. > > As far as my reading of the code goes, this is exactly what should > > happen, since common_perm() will call __aa_current_profile() which > > will use the obsolete profile. Is this intentional? > > 'rcapparmor stop' doesn't unload profiles; the 'teardown' option will > actually unload all the profiles. That's sounds like the Ubuntu answer ;-) For openSUSE (and SLE 12, I assume) rcapparmor stop (which is a symlink to the init script, and nowadays has some systemd magic included) will unload all profiles and un-confine all processes (basically what "teardown" does on Ubuntu). rcapparmor start will load the profiles (again), but you need to restart running processes to confine them again. Important note: systemd maps "restart" to "stop"/"start" instead of handing over "restart" to the initscript. This means "rcapparmor restart" will un-confine all running processes :-( Use "rcapparmor reload" instead - it really "just" reloads the profiles without removing confinement from running processes. Oh, and please ask the systemd maintainers to fix https://bugzilla.novell.com/show_bug.cgi?id=853019 ;-) The initscript itsself handles "restart" correctly (it behaves like "reload"), but the systemd magic breaks it. Regards, Christian Boltz -- > > > Ich _habe_ einen vernünftigen Mailer! > > Und warum benutzt Du ihm nicht? > Mach ich gerade. Komisch, bei mir wird angezeigt, daß Du KMail benutzt. [> Manfred Misch und Bernd Brodesser in suse-linux] -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
