Hello, TL;DR: I'd like to introduce a script /usr/sbin/aa-teardown to unload all AppArmor profiles. Any objections or better ideas?
Long version. systemctl restart apparmor gets mapped to systemctl stop apparmor ; systemctl start apparmor (Yeah, it would be nice if systemd would support overriding that behaviour. I asked on systemd-devel for an ExecRestart= option last year, but (to say it mildly) nobody liked that idea, even if it was requested by different people and for different reasons more than once.) This also means unloading all profiles in ExecStop is a bad idea. (Unfortunately it's exactly what the openSUSE apparmor.service currently does, but I want to change that - the future apparmor.service in Tumbleweed will have ExecStop=/bin/true and a nice[tm] comment.) AFAIK Debian and Ubuntu currently use /etc/init.d/apparmor teardown to unload all profiles - but this won't work anymore when switching to a pure systemd unit. Some discussion on #apparmor led to the idea to introduce a new stand-alone command aa-teardown to unload all profiles. This name would at least be somewhat familiar to Debian and Ubuntu users. Does someone have a better idea than aa-teardown ? If not, I'll implement /usr/sbin/aa-teardown in openSUSE and expect that it will also become the upstream solution [1]. So if you don't like aa-teardown, speak up *now* ;-) If you are interested in more details and discussion, see - https://bugzilla.opensuse.org/show_bug.cgi?id=996520 - especially the last comments (including a link to the discussion on systemd-devel) - https://bugzilla.opensuse.org/show_bug.cgi?id=853019 [3] Oh, and if you like mudwrestling, feel free to try requesting ExecRestart= in the systemd bugtracker or mailinglist once more. Regards, Christian Boltz PS: [3] and [4] could be read as systemd rants. I won't say they are, but won't object if someone understands them in that way ;-) [1] the script content still can (and will [2]) be changed, but I expect the name /usr/sbin/aa-teardown to be set into stone ;-) [2] to get started quickly, I'll use a as-simple-as-possible script, but I'm sure that this won't be the final solution. [3] I could easily have made that one a CVE, but a) that would be evil and b) AFAIK upstream systemd doesn't really care about CVE numbers and scores [4]. [4] http://blog.koehntopp.info/index.php/2146-not-a-bug-version-9-8/ shows one of the better-known examples -- > > > Ich _habe_ einen vernünftigen Mailer! > > Und warum benutzt Du ihm nicht? > Mach ich gerade. Komisch, bei mir wird angezeigt, daß Du KMail benutzt. [> Manfred Misch und Bernd Brodesser in suse-linux]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor