On Sat, 11.10.14 21:57, m...@zarb.org (m...@zarb.org) wrote: > From: Michael Scherer <m...@zarb.org> > > Since apparmor need to access /proc to communicate with the kernel, > any unit setting / as readonly will be unable to also use the > AppArmorProfile setting, as found on debian bug 760526.
A unit that sets /proc to read-only is broken anyway, I don't think we should work around that. or am I missing something here? If you apply the apparmor profile before setting up the namespace stuff you need to whitelist all the namespace operations in the apparmor profile. That might be quite a lot, hence: is this really desirable? Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel