On Tue, Jan 27, 2015 at 1:16 PM, Lennart Poettering <lenn...@poettering.net> wrote: > On Tue, 27.01.15 19:47, Topi Miettinen (toiwo...@gmail.com) wrote: > >> I'm not sure. Shouldn't we then ship a SELinux policy file then? Would >> you be interested in AppArmor profile for timesyncd, I have one? Also, >> if a distro uses weird SELinux policies or setuid helpers at every >> possible opportunity, shouldn't they have some responsibility of fixing >> their setup? > > Well, SELinux policy is managed in a central selinux policy database > that is shipped in one big RPM. My selinux-fu is not good enough to > maintain the policy file in systemd, and i am not sure this even is > generic enough to be able to ship the same selinux policy that works > across all distros that do selinux. > > If Apparmor policies are standardized and stand-alone enough, and > there's a clear way to install them, and you are willing to look after > it, then yes, I'd merge a patch that adds apparmor profiles to systemd > upstream.
A good idea would be to set the apparmor profile(s) to warn-only mode for some period of time, and then let distros patch (this would be a one liner) that to be in enforce mode if they want to test it out. One possible issue is that AppArmor profiles are installed in /etc. Will that be a problem WRT the whole stateless system initiative, or is it an acceptable exception to the "only comments in /etc" rule? Cheers, -- Cameron _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel