Mailinglist Archive: opensuse-factory (437 mails)

< Previous Next >
Re: [opensuse-factory] Apparmor fails to start on boot in Tumbleweed
Hello,

Am Freitag, 17. April 2015 schrieb Cristian Rodríguez:
Also needs
ConditionCapability=CAP_MAC_ADMIN as an extra condtion after
ConditionSecurity=apparmor
Otherwise apparmor is started in containers that lack permissions to
load the profiles..

While I understand your goal, I'm not sure what is better:

a) adding ConditionCapability which means systemd silently(?) ignores
apparmor.service if CAP_MAC_ADMIN is not available

b) don't do that and let apparmor.service fail

I tend to b) because the admin might get a false sense of security with
a) ("AppArmor is enabled, and systemctl --failed is empty, so everything
works") - but if you have good arguments for a), I'll consider them ;-)


Regards,

Christian Boltz
--
CPU&-Register: die Person (mit Kurzzeitgedaechnis)
Ich darf doch schwer bitten. Wenn ich morgens aufwache, brauche ich
nicht erst Aktenordner durchzulesen. Ich kann mich auch so erinnern.
[> David Haller und Bernd Brodesser in suse-linux]

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups