On Wed, Jan 03, Christian Boltz wrote:
For now, I can offer two workarounds: - rcapparmor reload while /var/lib/apparmor is writeable to build or update the cache (which also means no more write attemps on boot until you install a new kernel) - or - - disable the "write-cache" option in /etc/apparmor/parser.conf - but let me warn you that this slows down profile loading 5 to 10 times, so this is nothing I want to do for the "normal" distribution. (If there is a build condition to match only Kubic, I'm willing to accept that in the AppArmor package as a hotfix. Technically we just have to disable a patch ;-)
As I wrote in one of the bug reports: since apparmor should load the profiles very early in the boot process, it should do the very early load without "write-cache" option and create the cache later in the running system. This avoids that the profiles are loaded to late and there are unproteced services running, and the performance problem should be the same. At least I don't see why creating the cache and loading the rules is faster than loading the rules without creating the cache. If this is really the case, we should move the cache to /run/ .... Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org