Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
systemd + apparmor
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
V10lator
Apprentice
Apprentice


Joined: 11 Jul 2004
Posts: 207

PostPosted: Mon Nov 27, 2017 3:20 am    Post subject: systemd + apparmor Reply with quote

I'm experimenting with apparmor. As a fist step I enabled it in kernel and emerged sys-apps/apparmor, sys-apps/apparmor-utils and sec-policy/apparmor-profiles. Then I unmasked the apparmor USE flag and re-emerged systemd (the wiki is talking about OpenRC only: https://wiki.gentoo.org/wiki/AppArmor#Services ).

The result:
Code:
# aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
# systemctl status apparmor.service
Unit apparmor.service could not be found.


Am I missing something or how to enable apparmor / load the profiles with systemd?
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 9601
Location: almost Mile High in the USA

PostPosted: Mon Nov 27, 2017 5:25 am    Post subject: Reply with quote

Looks like a bug, no systemd service for apparmor is included in the ebuild...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
V10lator
Apprentice
Apprentice


Joined: 11 Jul 2004
Posts: 207

PostPosted: Mon Nov 27, 2017 9:06 am    Post subject: Reply with quote

Thanks, looks like there's even a bug report already: https://bugs.gentoo.org/555388
Back to top
View user's profile Send private message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1591

PostPosted: Mon Nov 27, 2017 9:28 am    Post subject: Re: systemd + apparmor Reply with quote

V10lator wrote:
... load the profiles with systemd?


yup. But, Systemd and AppArmor are a contradiction in themselves. The attacker is systemd. That's why I'm currently switching from systemd back to openrc.
The ArchLinux systemd way: https://aur.archlinux.org/cgit/aur.git/tree/?h=apparmor

Or:
apparmor@.service:

[Unit]
Description=AppArmor profile: %i
DefaultDependencies=no
Before=apparmor.target

[Service]
Type=oneshot
ExecStart=/sbin/apparmor_parser -r /etc/apparmor.d/%i
ExecStop=/sbin/apparmor_parser -R /etc/apparmor.d/%i
RemainAfterExit=yes

[Install]
WantedBy=apparmor.target

apparmor.target:
 
[Unit]
Description=AppArmor target
DefaultDependencies=no
Before=sysinit.target

[Install]
WantedBy=sysinit.target

_________________
------------------------------------------------------------------
http://radio.garden/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum