On Fri, 21.02.14 09:39, Michael Scherer (m...@zarb.org) wrote: > > Applied! I made some changes though, there were some missing > > bits to make sure the config hookup works correctly. I don't have any > > apparmor available though. Could you check if everything works > > correctly? > > I will, I do have a opensuse VM for that, and I think intrigeri in CC, > likely does too. > > > I figure the only missing bit to get apparmor up to the same level of > > support in systemd as SELinux, SMACK and IMA have would be policy > > uploading during early boot. > > Yeah, but this requires call to a external binary, I was wondering is > using some unit wouldn't be enough. Upstart also do provides a way to
Well, MAC policies sound like something one really should upload at a time where no process but PID 1 is around, so that it is guaranteed to apply to every process on the system. Uploading it in a normal unit loads it releatively late and in parallel to other servics. I am happy to add code that uploads the AppArmor policy the same way we upload SELinux, IMA, SMACK, but either this uploading must be so simple that we can easily implement this in our own code (which is the way we went for IMA or SMACK), or they must provide us with some library, but doing this via invoking a binary is something that I don't want to see in systemd upstream. > load a policy specificied in a job, which is maye something we could What is different from what we have now with AppArmorProfile=? > support, like on demand module loading for selinux . Hmm, "on-demand module loading for selinux"? What do you mean by that? Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel