Hi Jacek, Jacek: > What should the correct code of the Apparmor policy module look like to > Dracut?
I'm not aware of any actual implementation of what this document suggests, but had I to write it, I would start there: https://gitlab.com/apparmor/apparmor/blob/master/parser/rc.apparmor.functions … keeping in mind that dracut starts systemd very early, and most of the dracut code is run by systemd units as part of initrd.target, so instead of a dracut module, you could probably load AppArmor policy from a systemd unit that's WantedBy=initrd.target. See for example how policy is loaded in Debian post-initramfs: https://salsa.debian.org/apparmor-team/apparmor/blob/debian/master/debian/apparmor.service … which uses: https://gitlab.com/apparmor/apparmor/blob/master/parser/apparmor.systemd … which delegates all the heavy lifting to parser/rc.apparmor.functions mentioned above. > Question about Apparmor full system policy. > I mean loading all Apparmor policy profiles, not just Init. Now I'm confused. May I ask what you're trying to achieve? Is it really full system policy, i.e. *all* processes are confined? Or "only" early loading of policy? Cheers, -- intrigeri -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
