Hello, Am Freitag, 17. April 2015 schrieb Cristian Rodríguez:
Also needs ConditionCapability=CAP_MAC_ADMIN as an extra condtion after ConditionSecurity=apparmor Otherwise apparmor is started in containers that lack permissions to load the profiles..
While I understand your goal, I'm not sure what is better: a) adding ConditionCapability which means systemd silently(?) ignores apparmor.service if CAP_MAC_ADMIN is not available b) don't do that and let apparmor.service fail I tend to b) because the admin might get a false sense of security with a) ("AppArmor is enabled, and systemctl --failed is empty, so everything works") - but if you have good arguments for a), I'll consider them ;-) Regards, Christian Boltz --
CPU&-Register: die Person (mit Kurzzeitgedaechnis) Ich darf doch schwer bitten. Wenn ich morgens aufwache, brauche ich nicht erst Aktenordner durchzulesen. Ich kann mich auch so erinnern. [> David Haller und Bernd Brodesser in suse-linux]
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org