Hey just to clarify why I'm doing that explicitly in the systemd profile. Loading a bunch of profile is extremely slow so this has to run after system boot (after X I mean, I use autologin + startx) And in the meanwhile, some services like NetworkManager and nscd need to be enforced before it starts.
So I had to add an ExecPre to fix that. If I don't, it would end up "The binary has a profile defined but running unconfined" blabla On Tue, Aug 12, 2014 at 4:23 PM, intrigeri <[email protected]> wrote: > Hi, > > Christian Boltz wrote (11 Aug 2014 21:53:40 GMT) : >> It looks unnecessary to me - the dependencies should already enforce >> loading all AppArmor profiles before any daemons are started (at least >> it works on openSUSE that way). > > ... and, if a given system-wide daemon needs a specific profile that > doesn't match the program's path (e.g. see system_tor in Debian), then > systemd v210 adds support for running that service with an explicitly > defined profile. > >> That all said - currently I use the good old initscript even with >> systemd. Having a systemd unit to load all profiles would be nice (and >> would solve some annoying problems) - is someone interested in writing >> one? ;-) > > There's been discussion about it on the systemd ML ~2-3 months ago, > and also on #apparmor at about the same time, but IIRC nobody summed > up this discussion on the list. IIRC, Marc Deslauriers, among others, > had interesting ideas on this topic. I think one of the key points > here is how to early load those profiles that really need it, e.g. > things that Ubuntu loads via Upstart (dhcp client, ntp). > > Cheers, > -- > intrigeri > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor -- Best Regards, Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
