Your message dated Mon, 25 May 2020 12:26:00 +0200 with message-id <87k1109upz.fsf@manticora> and subject line Re: Bug#923367: AppArmor: Profile for journald has caused the Debian Bug report #923367, regarding AppArmor: Profile for journald to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 923367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923367 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: apparmor-profiles Version: 2.13.2-9 Severity: normal Hi, I've created a profile for journald to restrict the possible capabilities the process has. But journald starts before the AppArmor profiles get loaded. I've created a service to run after apparmor.service to restart all unconfined services having a profile. What do you think about this? Would you include this in the package? Bye Jörg -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.20.0-trunk-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apparmor-profiles depends on: ii apparmor 2.13.2-9 apparmor-profiles recommends no packages. apparmor-profiles suggests no packages. -- no debconf information -- Das Recht, seine Meinung zu wechseln, ist eines der wichtigsten menschlichen Privilegien. (Robert Peel)include <tunables/global> profile /lib/systemd/systemd-journald { include <abstractions/base> /dev/kmsg rw, /etc/machine-id r, /proc/cmdline r, /proc/sys/kernel/hostname r, /proc/sys/kernel/random/boot_id r, /proc/*/{cgroup,cmdline,comm,loginuid,sessionid} r, /proc/*/attr/current r, /proc/1/{environ,sched} r, owner /proc/@{pid}/stat r, capability setgid setuid sys_admin sys_ptrace syslog, ptrace (read), /etc/systemd/journald.conf r, owner /run/systemd/journal/{,**} rw, owner /var/log/journal/{,**} rw, /run/udev/data/* r, /sys/devices/pci0000:00/**/uevent r, }[Unit] Description=Restart unconfined services having AppArmor profiles DefaultDependencies=no ConditionSecurity=apparmor Before=dbus.service sysinit.target After=apparmor.service Requires=apparmor.service [Service] Type=oneshot ExecStart=/usr/local/sbin/apparmor-systemd-restart-unconfined [Install] WantedBy=sysinit.target#!/bin/sh uc_pids=$(aa-status --json | jq -r '.processes[][] |select(.status == "unconfined") |.pid') if test -z "$uc_pids" then exit fi if echo "$uc_pids" |grep -qFx 1 then uc_pids=$(echo "$uc_pids" |grep -vFx 1) systemctl daemon-reexec fi uc_srv=$(systemctl status -n0 $uc_pids |sed '/^● /!d; s///; s/ .*//' |sort -u) systemctl restart $uc_srv
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Hi, I'm closing this feature request as it is not actionable in Debian. I'd rather see discussions about feature requests, that are not specific to Debian, happen upstream: https://apparmor.net/ Thanks!
--- End Message ---
