Restart haveged and apparmor

In the Xenial upgrade scenario, restarting will ensure the AppArmor profiles are correctly loaded so that it can be properly enforced, prior to rebooting.
freedomofpress · Feb 26, 2019 · 4a7ea91 · 4a7ea91
1 parent 063ad16
commit 4a7ea91
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/install_files/ansible-base/roles/app/handlers/main.yml b/install_files/ansible-base/roles/app/handlers/main.yml
@@ -19,6 +19,13 @@
     name: securedrop_worker
     state: present
 
+## Here, we list apparmor before haveged to ensure the correct AppArmor
+## profile is loaded prior to restarting haveged
+- name: restart apparmor
+  service:
+    name: apparmor
+    state: restarted
+
 - name: restart haveged
   service:
     name: haveged

diff --git a/install_files/ansible-base/roles/app/tasks/configure_haveged.yml b/install_files/ansible-base/roles/app/tasks/configure_haveged.yml
@@ -75,6 +75,9 @@
     line: "After=apparmor.service systemd-random-seed.service"
     backrefs: yes
   when: haveged_apparmor.stat.exists
+  notify:
+    - restart apparmor
+    - restart haveged
   tags:
     - haveged
     - hardening