<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - Apparmor support in ConditionSecurity"
href="https://bugs.freedesktop.org/show_bug.cgi?id=63312#c5">Comment # 5</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW --- - Apparmor support in ConditionSecurity"
href="https://bugs.freedesktop.org/show_bug.cgi?id=63312">bug 63312</a>
from <span class="vcard"><a class="email" href="mailto:nirbheek.chauhan@gmail.com" title="Nirbheek Chauhan <nirbheek.chauhan@gmail.com>"> <span class="fn">Nirbheek Chauhan</span></a>
</span></b>
<pre>(In reply to <a href="show_bug.cgi?id=63312#c4">comment #4</a>)
<span class="quote">> Hmm, so, the current implementation of the SELinux check not only checks
> whether SELinux is compiled into the kernel, but also if it is turned on
> during runtime. </span >
That directory only exists if AppArmor is loaded *and* turned on, so the check
is sufficient. This can be verified by booting with security=none and running
`aa-status`. The module is loaded, but the apparmor tree inside securityfs
isn't.
<span class="quote">> (Also, as a side note, we currently load SELinux, IMA and SMACK policies
> from early PID 1, so that they are applied before the first process is
> started. Do we want the same for AppArmor?)</span >
Right now we're using a .service file with DefaultDependenices=no,
Before=basic.target, WantedBy=sysinit.target which works fine for us because
everything that we confine is running in basic.target.
However, eventually it would indeed be nice to have systemd load AA profiles
with PID 1.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>