Hello,
Am Samstag, 17. Dezember 2011 schrieb Cristian Rodríguez:
On 18/12/11 13:53, Christian Boltz wrote:
Now tell me how to do this in a *.service file without using a script (extremely simplified version of loading the AppArmor profiles):
ls -1 /etc/apparmor.d/ | grep -v 'rpmnew$|rpmold$' | \ while read profile ; do apparmor_parser "/etc/apparmor.d/$profile" done
I guess apparmor_parser can by itself exclude backup files and provide recursion no ?
AFAIK it can't - the current initscript loads one profile after the other. It might sound like a disadvantage, but OTOH it allows to selectively load or reload a single profile manually.
To name another example: check the current (quite verbose) output of "rcapparmor status". How can this (running the "aa-status" command) be done with systemd when someone checks the status? I know about ExecStart, ExecReload and ExecStop, but I don't see something like ExecStatus in systemd.service(5).
You probably know that there is nothing like a permanently running AppArmor process, so looking up the status somewhere in the process table ("is the started process still running?") is impossible. I allso don't like the idea to rely on "we loaded the profiles, so they must still be there" because someone could have unloaded them manually.
Back to my question - how can this be handled in a *.service file?
Yes, but OTOH the old initscripts are plain shell code and therefore grep-able and somehow self-documenting.
no, they are not.
We could make that a shout match - "yes, they are!" [1] - but let's get back to the more constructive part of the discussion ;-)
Regards,
Christian Boltz
[1] I listed several arguments in my previous mail, no need to repeat them here ;-)