On Fri, Apr 17, 2015 at 5:05 PM, Christian Boltz <opensuse@cboltz.de> wrote:
Hello,
Am Freitag, 17. April 2015 schrieb Cristian Rodríguez:
Also needs ConditionCapability=CAP_MAC_ADMIN as an extra condtion after ConditionSecurity=apparmor Otherwise apparmor is started in containers that lack permissions to load the profiles..
While I understand your goal, I'm not sure what is better:
a) adding ConditionCapability which means systemd silently(?) ignores apparmor.service if CAP_MAC_ADMIN is not available
No, it is not silently ignored, the service is clearly marked in the status report as having a failed condition systemctl status apparmor.service ● apparmor.service - AppArmor profiles Loaded: loaded (/etc/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: inactive (dead) Condition: start condition failed at Fri 2015-04-17 17:09:54 CLST; 22s ago ConditionCapability=CAP_MAC_ADMIN was not met
b) don't do that and let apparmor.service fail
I disagree, the service is not failing.. the service *cannot work* in the target environment. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org