On Wed, 01 Nov 2017 08:04:37 +0100 intrig...@debian.org wrote:
> Hi,
>
> as reported on
>
https://lists.alioth.debian.org/pipermail/pkg-apparmor-team/2017-October/001895.html
> Tor does not start when the AppArmor LSM is enabled (which is the
> default in Linux on current sid) but the apparmor package is not
> installed. This is by far the most common situation for testing/sid
> users at the moment, hence RC severity. Installing the apparmor
> package is enough to fix the problem.
>
> This happens because the system_tor profile is not loaded in the
> kernel yet.
>
> There's an ongoing discussion about "how to get the apparmor package
> installed everywhere relevant"; depending on the outcome of this
> discussion, we may get a fix for this bug for free, but I don't think
> we should block on this discussion for fixing the matter at hand.
>
> So I propose we do this:
>
> --- a/debian/systemd/tor@default.service
> +++ b/debian/systemd/tor@default.service
> @@ -20,7 +20,7 @@ Restart=on-failure
> LimitNOFILE=65536
>
> # Hardening
> -AppArmorProfile=system_tor
> +AppArmorProfile=-system_tor
> NoNewPrivileges=yes
> PrivateTmp=yes
> PrivateDevices=yes
>
> This should avoid breaking the startup of the unit in case of such
> problems with the AppArmor profile. Weasel, what do you think?
My 2¢ here. Why is AppArmorProfile even needed here? Shouldn't apparmor
figureout itself that it need to migrate to the system_tor domain(?)?
