[systemd-bugs] [Bug 63312] Apparmor support in ConditionSecurity
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Apr 10 00:57:41 PDT 2013
https://bugs.freedesktop.org/show_bug.cgi?id=63312
--- Comment #5 from Nirbheek Chauhan <nirbheek.chauhan at gmail.com> ---
(In reply to comment #4)
> Hmm, so, the current implementation of the SELinux check not only checks
> whether SELinux is compiled into the kernel, but also if it is turned on
> during runtime.
That directory only exists if AppArmor is loaded *and* turned on, so the check
is sufficient. This can be verified by booting with security=none and running
`aa-status`. The module is loaded, but the apparmor tree inside securityfs
isn't.
> (Also, as a side note, we currently load SELinux, IMA and SMACK policies
> from early PID 1, so that they are applied before the first process is
> started. Do we want the same for AppArmor?)
Right now we're using a .service file with DefaultDependenices=no,
Before=basic.target, WantedBy=sysinit.target which works fine for us because
everything that we confine is running in basic.target.
However, eventually it would indeed be nice to have systemd load AA profiles
with PID 1.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20130410/fde98c52/attachment.html>
More information about the systemd-bugs
mailing list