On Thu, Apr 16, 2015 at 6:22 AM, Michael Biebl <bi...@debian.org> wrote: > Hi! > > While we are that topic, I think it would be better to not pull apparmor > specifics into ifup@.service and networking.service, but rather have > apparmor ship a native .service file and specify the correct orderings, > maybe by hooking up in network-pre.target. > > Then again, I'm not too familiar with AppArmor: Is every service, which > wants to be confined by apparmor supposed to declare a > After=apparmor.service in its service file?
Well what I have seen in Upstart confs is that all profiles that the job uses are loaded before the job is started with the `apparmor load` directive. This prevents any possible race conditions because, for example, cups would load its profile before its start regardless of whether the apparmor job has started. systemd only has an AppArmorProfile= directive, which is equivalent to Upstart's `apparmor switch`. Either systemd should gain a AppArmorLoad= directive or it should load all profiles itself before starting any services (like it does with SELinux policy). The workaround you describe seems to be a good choice ATM, and is similar to how it is done on Upstart with the network-interface-security job: # Since we need these profiles to be loaded before any of the above services # begin running, this service must be a pre-start so that its pre-start # script finishes before the above services' start scripts begin. pre-start script [ -f /run/network-interface-security ] && exit 0 # already ran [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser for link in /etc/apparmor/init/network-interface-security/* ; do [ -L $link ] && /sbin/apparmor_parser -r -W $link || true done > /run/network-interface-security end script -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org