Hi, [I thought I had sent this on Feb 27, it's in my Sent folder, but for some reason it did not make it to the BTS.]
Jörg Sommer: > I've created a profile for journald to restrict the possible capabilities > the process has. Interesting! > But journald starts before the AppArmor profiles get loaded. I would suggest trying to use the AppArmorProfile= directive in the journald unit. I suspect it'll fail because some other stuff (normally set up by apparmor.service) is not ready yet at the time journald starts, but it'll be interesting to know what that stuff is and possibly we can set it up earlier. E.g. some of the work currently done by apparmor.service could be moved to another service, that starts earlier in the boot process. > I've created a service to run after apparmor.service to restart all > unconfined services having a profile. What do you think about this? > Would you include this in the package? This feels like a workaround and the potential for problematic side effects kind of scares me. I'd rather see us work towards a nicer solution for confining services that start before apparmor.service. It's too late for Buster anyway so we have plenty of time to think about it and experiment with various ideas for Bullseye :) Cheers, -- intrigeri