View previous topic :: View next topic |
Author |
Message |
V10lator Apprentice
Joined: 11 Jul 2004 Posts: 207
|
Posted: Mon Nov 27, 2017 3:20 am Post subject: systemd + apparmor |
|
|
I'm experimenting with apparmor. As a fist step I enabled it in kernel and emerged sys-apps/apparmor, sys-apps/apparmor-utils and sec-policy/apparmor-profiles. Then I unmasked the apparmor USE flag and re-emerged systemd (the wiki is talking about OpenRC only: https://wiki.gentoo.org/wiki/AppArmor#Services ).
The result:
Code: | # aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
# systemctl status apparmor.service
Unit apparmor.service could not be found. |
Am I missing something or how to enable apparmor / load the profiles with systemd? |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9601 Location: almost Mile High in the USA
|
Posted: Mon Nov 27, 2017 5:25 am Post subject: |
|
|
Looks like a bug, no systemd service for apparmor is included in the ebuild... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
V10lator Apprentice
Joined: 11 Jul 2004 Posts: 207
|
|
Back to top |
|
|
Marlo Veteran
Joined: 26 Jul 2003 Posts: 1591
|
Posted: Mon Nov 27, 2017 9:28 am Post subject: Re: systemd + apparmor |
|
|
V10lator wrote: | ... load the profiles with systemd? |
yup. But, Systemd and AppArmor are a contradiction in themselves. The attacker is systemd. That's why I'm currently switching from systemd back to openrc.
The ArchLinux systemd way: https://aur.archlinux.org/cgit/aur.git/tree/?h=apparmor
Or:
apparmor@.service: |
[Unit]
Description=AppArmor profile: %i
DefaultDependencies=no
Before=apparmor.target
[Service]
Type=oneshot
ExecStart=/sbin/apparmor_parser -r /etc/apparmor.d/%i
ExecStop=/sbin/apparmor_parser -R /etc/apparmor.d/%i
RemainAfterExit=yes
[Install]
WantedBy=apparmor.target |
apparmor.target: |
[Unit]
Description=AppArmor target
DefaultDependencies=no
Before=sysinit.target
[Install]
WantedBy=sysinit.target |
_________________ ------------------------------------------------------------------
http://radio.garden/ |
|
Back to top |
|
|
|