Mailinglist Archive: opensuse-factory (437 mails)

[Cristian Rodríguez <crrodriguez@xxxxxxxxxxxx>]

On Fri, Apr 17, 2015 at 5:05 PM, Christian Boltz <opensuse@xxxxxxxxx> wrote:
> Hello,
>
> Am Freitag, 17. April 2015 schrieb Cristian Rodríguez:
> > Also needs
> > ConditionCapability=CAP_MAC_ADMIN as an extra condtion after
> > ConditionSecurity=apparmor
> > Otherwise apparmor is started in containers that lack permissions to
> > load the profiles..
>
> While I understand your goal, I'm not sure what is better:
>
> a) adding ConditionCapability which means systemd silently(?) ignores
>    apparmor.service if CAP_MAC_ADMIN is not available

No, it is not silently ignored, the service is clearly marked in the
status report as having a failed condition

systemctl status apparmor.service
● apparmor.service - AppArmor profiles
  Loaded: loaded (/etc/systemd/system/apparmor.service; enabled;
vendor preset: enabled)
  Active: inactive (dead)
Condition: start condition failed at Fri 2015-04-17 17:09:54 CLST; 22s ago
          ConditionCapability=CAP_MAC_ADMIN was not met

> b) don't do that and let apparmor.service fail

I disagree, the service is not failing.. the service *cannot work* in
the target environment.
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx