Mailinglist Archive: opensuse-factory (745 mails)

< Previous Next >
Re: AppArmor changes (was: [opensuse-factory] New Tumbleweed snapshot 20180101 released!)
On Wed, Jan 03, Christian Boltz wrote:

For now, I can offer two workarounds:
- rcapparmor reload while /var/lib/apparmor is writeable to build or
update the cache (which also means no more write attemps on boot until
you install a new kernel) - or -
- disable the "write-cache" option in /etc/apparmor/parser.conf - but
let me warn you that this slows down profile loading 5 to 10 times,
so this is nothing I want to do for the "normal" distribution.
(If there is a build condition to match only Kubic, I'm willing to
accept that in the AppArmor package as a hotfix. Technically we just
have to disable a patch ;-)

As I wrote in one of the bug reports: since apparmor should load the
profiles very early in the boot process, it should do the very early
load without "write-cache" option and create the cache later in the
running system. This avoids that the profiles are loaded to late and
there are unproteced services running, and the performance problem
should be the same. At least I don't see why creating the cache and
loading the rules is faster than loading the rules without creating
the cache. If this is really the case, we should move the cache to
/run/ ....


Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg)
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups