Hello, Michael Biebl [2015-04-16 15:22 +0200]: > While we are that topic, I think it would be better to not pull apparmor > specifics into [email protected] and networking.service, but rather have > apparmor ship a native .service file and specify the correct orderings, > maybe by hooking up in network-pre.target.
Yes, fully agreed. I mostly did that in [1] to get an unintrusive fix for the freeze, i. e. tuning the autogenerated unit. But in Jessie+1 it would be really good if we got rid of rcS init.d scripts entirely. > Then again, I'm not too familiar with AppArmor: Is every service, which > wants to be confined by apparmor supposed to declare a > After=apparmor.service in its service file? I don't think this is practical TBH. A MAC system might have profiles for pretty much every binary in the system, so every service could potentially be covered. Thus it's best to load and apply the profiles as early as possible. I know that there's work going on to teach systemd pid 1 about native loading of the profiles even before it starts any unit; but that isn't done yet. Until then we can just ensure that it runs before everything which has profiles and is a potential security issue. Thanks, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
