Mailinglist Archive: opensuse-factory (437 mails)

< Previous Next >
Re: [opensuse-factory] Apparmor fails to start on boot in Tumbleweed
On Fri, Apr 17, 2015 at 5:05 PM, Christian Boltz <opensuse@xxxxxxxxx> wrote:
Hello,

Am Freitag, 17. April 2015 schrieb Cristian Rodríguez:
Also needs
ConditionCapability=CAP_MAC_ADMIN as an extra condtion after
ConditionSecurity=apparmor
Otherwise apparmor is started in containers that lack permissions to
load the profiles..

While I understand your goal, I'm not sure what is better:

a) adding ConditionCapability which means systemd silently(?) ignores
apparmor.service if CAP_MAC_ADMIN is not available

No, it is not silently ignored, the service is clearly marked in the
status report as having a failed condition

systemctl status apparmor.service
● apparmor.service - AppArmor profiles
Loaded: loaded (/etc/systemd/system/apparmor.service; enabled;
vendor preset: enabled)
Active: inactive (dead)
Condition: start condition failed at Fri 2015-04-17 17:09:54 CLST; 22s ago
ConditionCapability=CAP_MAC_ADMIN was not met

b) don't do that and let apparmor.service fail

I disagree, the service is not failing.. the service *cannot work* in
the target environment.
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation