From c4068b6eee6d5ef1948655dc939b8d60e5916da9 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Fri, 19 Nov 2021 20:43:19 +0100 Subject: [PATCH] document intentionally broken ExecStop in upstream apparmor.service --- AppArmorInSystemd.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/AppArmorInSystemd.md b/AppArmorInSystemd.md index e6c9dbd..e7e3164 100644 --- a/AppArmorInSystemd.md +++ b/AppArmorInSystemd.md @@ -93,6 +93,8 @@ tasks entering the unconfined state. The start will then load new policy however all tasks in the system will remain unconfined, only tasks start after the start operation will gain the new confinement. +The upstream `apparmor.service` has intentionally broken `stop`. Using `restart` on distributions that use the upstream unit (for example openSUSE) isn't a problem. However, you'll need to use `aa-teardown` if you really want to unload all AppArmor profiles. + Using systemd to set the apparmor profile/label ===============================================