Mailinglist Archive: opensuse-factory (437 mails)

< Previous Next >
Re: [opensuse-factory] Apparmor fails to start on boot in Tumbleweed

Am Dienstag, 31. März 2015 schrieb Cristian Rodríguez:
I am currently working on a fix for apparmor and on removing the few
remaning early boot sysvinit scripts..(this one is the only important

After some delays (sorry!), I just requested your SR to
security:apparmor an hour ago and added suse_version conditionals so
that it only applies to Factory.

Unfortunately, I found a problem when testing the packages: is back :-(

It seems the mapping of restart and try-restart to stop/start instead of
passing it through to the initscript also applies to native *.service

In other words: updating the apparmor-parser package removes the
AppArmor protection from running processes :-(

How can I fix this?
- I'd love to simply add
ExecRestart=/etc/apparmor.d/boot.apparmor reload
but systemd tells me this option is unknown (would have been too easy)
- I could replace the problematic %service_del_postun (which contains a
"systemctl try-restart", which maps to stop/start) with a fixed
version, even if I'm not too keen to carry another copy of a broken
rpm macro
- BTW: why doesn't %post not contain a systemctl command to restart
the service?
- even when the macros are fixed, this still doesn't fix manual calls of
systemctl restart apparmor.service - that still removes AppArmor
protection from running processes :-(

Do you have an idea how I can solve this problem?

I'm afraid I can't submit the package to Factory in the current state
because it would remove AppArmor protection from running programs (until
restarting them or rebooting), so any ideas how I can fix the above
problems (ideally without adding another workaround in the package) is
more than welcome!

fixing the systemd bug is on the shoulders of people that want
this SUSE specific hack to live on and I will not waste my time with
it ever again.

Replacing it with core systemd bugs doesn't make it better :-(


Christian Boltz
Die SLES macht ja die gleichen Zicken, dafür kann man sich aber aufgrun
der höheren Preises zumindest eines der armen Support-Würstchen greifen
und erfahren: "ZEN bietet aber darüber hinaus viele Vorteile.". Grrrr.
[Bernd Glueckert in suse-linux]

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation