mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
3a9b0fd74a
The initial apparmor.service assumed the profile cache is in /var/lib/apparmor/ which was an openSUSE-specific path that was chosen for historical reasons, but was far from perfect. In the meantime, the profile cache moved to /var/cache/apparmor/ and the read-only/packaged version was added in /usr/share/apparmor/cache/ This commit adjusts apparmor.service to use these paths.
26 lines
880 B
Desktop File
26 lines
880 B
Desktop File
[Unit]
|
|
Description=Load AppArmor profiles
|
|
DefaultDependencies=no
|
|
Before=sysinit.target
|
|
After=systemd-journald-audit.socket
|
|
# profile cache: /var/cache/apparmor/ and /usr/share/apparmor/cache/
|
|
After=var.mount var-cache.mount usr.mount usr-share.mount
|
|
ConditionSecurity=apparmor
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/lib/apparmor/apparmor.systemd reload
|
|
ExecReload=/lib/apparmor/apparmor.systemd reload
|
|
|
|
# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
|
|
# from running processes (and not being able to re-apply it later).
|
|
# Upstream systemd developers refused to implement an option that allows overriding
|
|
# this behaviour, therefore we have to make ExecStop a no-op to error out on the
|
|
# safe side.
|
|
#
|
|
# If you really want to unload all AppArmor profiles, run aa-teardown
|
|
ExecStop=/bin/true
|
|
RemainAfterExit=yes
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|