[tor-bugs] #16782 [Tor]: systemd unit file is not compatible with the AppArmorProfile= directive
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 12 18:42:03 UTC 2015
#16782: systemd unit file is not compatible with the AppArmorProfile= directive
-------------------------------+---------------------
Reporter: intrigeri | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Keywords: systemd, apparmor | Actual Points:
Parent ID: | Points:
-------------------------------+---------------------
If I add the {{{AppArmorProfile=system_tor}}} directive to the unit file
on current Debian sid, tor doesn't start and I get:
{{{tor.service: Failed at step APPARMOR spawning /usr/bin/tor: Read-only
file system}}}
As discussed on the systemd mailing-list last year
(http://lists.freedesktop.org/archives/systemd-
devel/2014-October/023909.html), setting up AppArmor confinement requires
/proc to be writable.
And indeed, adding {{{ReadWriteDirectories=-/proc}}} fixes this problem
for me. I intend to ask weasel to enable the AppArmor profile back in
Debian (which we lost when migrating to systemd), so my question is: do
you want {{{ReadWriteDirectories=-/proc}}} upstream (as a way to ease the
work for downstreams who want to enable AppArmor confinement), or should
we add it to the Debian delta?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16782>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list