[systemd-devel] [PATCH] timesyncd: tighten unit file
lennart at poettering.net
Tue Jan 27 16:15:08 PST 2015
On Tue, 27.01.15 14:58, Cameron Norman (camerontnorman at gmail.com) wrote:
> On Tue, Jan 27, 2015 at 1:16 PM, Lennart Poettering
> <lennart at poettering.net> wrote:
> > On Tue, 27.01.15 19:47, Topi Miettinen (toiwoton at gmail.com) wrote:
> >> I'm not sure. Shouldn't we then ship a SELinux policy file then? Would
> >> you be interested in AppArmor profile for timesyncd, I have one? Also,
> >> if a distro uses weird SELinux policies or setuid helpers at every
> >> possible opportunity, shouldn't they have some responsibility of fixing
> >> their setup?
> > Well, SELinux policy is managed in a central selinux policy database
> > that is shipped in one big RPM. My selinux-fu is not good enough to
> > maintain the policy file in systemd, and i am not sure this even is
> > generic enough to be able to ship the same selinux policy that works
> > across all distros that do selinux.
> > If Apparmor policies are standardized and stand-alone enough, and
> > there's a clear way to install them, and you are willing to look after
> > it, then yes, I'd merge a patch that adds apparmor profiles to systemd
> > upstream.
> A good idea would be to set the apparmor profile(s) to warn-only mode
> for some period of time, and then let distros patch (this would be a
> one liner) that to be in enforce mode if they want to test it out.
> One possible issue is that AppArmor profiles are installed in /etc.
> Will that be a problem WRT the whole stateless system initiative, or
> is it an acceptable exception to the "only comments in /etc" rule?
Well, there's support for copying data from /usr to /etc on first boot
using tmpfile's "C" lines. However, that's supposed to be used only
as temporarily glue. Ideally all softare would work fine without /etc
around and do the right thing on its own. Also, apparmor probably
should operate before tmpfiles has run.
So yeah, apparmor working like that is not compatible withe stateless
systems that shall be able to boot up without /etc around.
Lennart Poettering, Red Hat
More information about the systemd-devel