On Sun, Oct 12, 2014 at 02:23:22AM +0200, Michael scherer wrote: > On Sun, Oct 12, 2014 at 01:40:29AM +0200, Michael scherer wrote: > > So, investigating the problem. > > > > The issue is that : > > > > ReadOnlyDirectories = / > > > > make aa_change_onexec fail with > > > > Oct 11 23:22:25 test-debian systemd[1985]: Failed at step APPARMOR > > spawning /usr/bin/tor: Read-only file system > > > > ( once there is proper reporting ). I suspect the issue is upstream, with > > the ordering of readonly vs apparmor. > > > > Adding : > > > > ReadWriteDirectories = /proc > > > > Seems to fix the issue as well. I am trying to see if I can fix properly > > upstream by moving around > > apparmor support in the source code. > > So there is a catch-22. If we set the profile before the mount, it fail with : > > Oct 12 00:13:40 test-debian systemd[1121]: Failed at step NAMESPACE > spawning /usr/bin/tor: No such file or directory > > If we set it after, it fail with the previous error. I think someone need to > see with upstream apparmor > people about the proper way to do that. I will try to see on systemd-devel if > someone know why it fail like this.
So after a rather long debugging seance, the problem is a false positive. If /var/run/tor do not exist, then it fail to mount it, obviously. And I gues it doesn't existe because /var/run is on a tmpfs, and I didn't create the proper configuration to create it on boot. So yeah, putting apparmor code before namespace code is the proper fix. I am gonna send it upstream, and then up to you to decide either to backport/adapt, or to just work around with /proc being rw. -- Michael Scherer -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org