On 28/12/11 20:54, Christian Boltz wrote:
Am Mittwoch, 28. Dezember 2011 schrieb Cristian Rodríguez:
On 28/12/11 16:01, Per Jessen wrote:
> Cristian Rodríguez wrote:
Try the following, create a program that is able
to figure out what
exactly init scripts do,
It already exists and is called /bin/bash -x
(I know that this probably isn't the answer you wanted to hear ;-)
Of course Im not talking about that.
Auditing (temp)file usage is easy. That's
something aa-genprof (and in
general, AppArmor in learning mode) can do easily.
Will it catch all sorts of bugs ? like writting directly to /tmp without
using mktemp or using sed with output to /tmp/namedfile ?
That method works for starting daemons, and I agree
that they should
provide proper exit status codes.
OTOH, I already explained some days ago that in some cases (like
AppArmor) ExecStatus would really make sense because there is no
daemon/process you can check.
I still don't get it, what do you want to do, that cannot be done
already with ExecStart ? did you read the documentation ?
To come back to systemd and AppArmor:
Yes, I can of course start a watchdog daemon in ExecStart that (after
loading the profiles) runs aa-status every 10 seconds and errors out if
something goes wrong. And I really would check every 10 seconds so that
everybody running "systemctl status" gets an (at least nearly) up-to-
Or I could use the ExecStatus "hook" in the service file, which could
then run aa-status when someone runs "systemctl status".
Now please tell me which way is smarter ;-)
Let me get this straight.
- Apparmor is security software, which people depends to secure their
systems, but does not provide any meaningful way to know it is loaded ?
I expect something like this, especially if we are talking about security !!
- Apparmor parses its rules, if there is a ERROR according to their own
concept of error, it aborts loading and returns failure exit code.
- If there is an error, that happens after parsing (loading), again
according to its own rules, the transaction is rolled back, in an all or
nothing fashion and returns failure exit code, no half loading, no
Whatever else is a recipe for disaster... what I am missing here ? it is
just my idea or apparmor concept of starting is totally brain dead ?
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org