Hi, Christian Boltz wrote (11 Aug 2014 21:53:40 GMT) : > It looks unnecessary to me - the dependencies should already enforce > loading all AppArmor profiles before any daemons are started (at least > it works on openSUSE that way).
... and, if a given system-wide daemon needs a specific profile that doesn't match the program's path (e.g. see system_tor in Debian), then systemd v210 adds support for running that service with an explicitly defined profile. > That all said - currently I use the good old initscript even with > systemd. Having a systemd unit to load all profiles would be nice (and > would solve some annoying problems) - is someone interested in writing > one? ;-) There's been discussion about it on the systemd ML ~2-3 months ago, and also on #apparmor at about the same time, but IIRC nobody summed up this discussion on the list. IIRC, Marc Deslauriers, among others, had interesting ideas on this topic. I think one of the key points here is how to early load those profiles that really need it, e.g. things that Ubuntu loads via Upstart (dhcp client, ntp). Cheers, -- intrigeri -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
