intrigeri: > The initscript has this: > # Required-Start: $local_fs
> … so I think we should be good when pid 1 == sysvinit as well as long > as /var is not on a remote FS. > Then I'm hesitating between: > a) Assume this very unlikely corner-case simply won't be triggered on > real-life Buster or newer systems, and then either leave it at that > or document in README.Debian that one must s/local_fs/remote_fs/ > when using sysvinit + AppArmor + non-local /var. > b) Replace that stanza with "Required-Start: $remote_fs" > - pros: avoids the risk of breaking boot in this (corner) case > - cons: some services may be started before AppArmor and thus not > get the expected confinement unless they explicitly order > themselves after apparmor > Thoughts, opinions? FTR I went with (b) in the corresponding merge request [1] but I could easily be convinced that (a) is better. [1] https://salsa.debian.org/apparmor-team/apparmor/merge_requests/9 Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
