Am 20.12.2011 20:21 schrieb Christian Boltz:
Hello,
Am Dienstag, 20. Dezember 2011 schrieb Frederic Crozat:
Le mardi 20 décembre 2011 à 16:05 +0100, Christian Boltz a écrit :
The initscript calls "aa-status", prints its output and returns the status/errorcode based on $? of aa-status. How can I do this (execute a command when checking the status) with systemd to get at least the errorcode?
You can't, through systemd. The service will be based on either it is running (for a RemainAfterExit=false type) or it was run based on its error code (for a RemainAfterExit=true type).
In other words: when I ask for the status it says "well, I started it, so it must still be active" - right?
I'm sorry, but just _assuming_ the status instead of _checking_ it sounds like a bad idea[tm]. It's even worse because we are talking about security-relevant services (AppArmor, SuSEfirewall) here - I'd prefer to get the real status instead of a "well, I started it..." ;-)
A sure fire way to get any issue fixed with non-cooperating maintainers is to write a security advisory about it and post it to full-disclosure or some other security mailing list with a large audience. While that alone will not necessarily get stuff fixed, I'm sure it will get fixed once Oracle/whatever salespeople add it to their list of "unfixed problems present in other Linux distributions" and customers start asking questions. (*) In this case, systemd would be the thing to blame and the advisory should be worded accordingly.
Regards, Carl-Daniel
(*)Note that writing security advisories for bugs is considered to be the Hiroshima way of forcing a bugfix: Messy, and a means of last resort.