On Wed, 01 Nov 2017 08:04:37 +0100 intrig...@debian.org wrote: > So I propose we do this: > > --- a/debian/systemd/tor@default.service > +++ b/debian/systemd/tor@default.service > @@ -20,7 +20,7 @@ Restart=on-failure > LimitNOFILE=65536 > > # Hardening > -AppArmorProfile=system_tor > +AppArmorProfile=-system_tor > NoNewPrivileges=yes > PrivateTmp=yes > PrivateDevices=yes
I confirm that with this change tor starts normally without apparmor installed. Note that I still see in syslog (if that's relevant): kernel: [ 22.193677] audit: type=1400 audit(1509560952.793:2): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_tor" pid=542 comm="(tor)" I also tested it with "security=dac" on the kernel command line without getting the above syslog entry (of course). Thanks, Viktor
