[apparmor] PATCH [1/3] - default apparmor_notify to report messages if it is installed

John Johansen john.johansen at canonical.com
Thu Sep 9 19:40:02 BST 2010


On 09/09/2010 11:12 AM, Steve Beattie wrote:
> On Thu, Sep 09, 2010 at 11:13:08AM -0500, Jamie Strandboge wrote:
>> On Thu, 2010-09-09 at 09:06 -0700, John Johansen wrote:
>>> This patch defaults apparmor_notify to report messages if it is installed
>>> and started.
>>>
>>> Index: utils/notify.conf
>>> ===================================================================
>>> --- utils.orig/notify.conf	2010-09-09 08:59:23.494193402 -0700
>>> +++ utils/notify.conf	2010-09-09 08:59:53.994193402 -0700
>>> @@ -8,8 +8,8 @@
>>>  #
>>>  # ------------------------------------------------------------------
>>>  
>>> -# Set to 'yes' to enable AppArmor DENIED notifications globally
>>> -show_notifications="no"
>>> +# Set to 'no' to disable AppArmor notifications globally
>>> +show_notifications="yes"
>>>  
>>>  # Only people in use_group can use apparmor-notify
>>>  use_group="admin"
>>>
>>
>> ACK.
> 
> ACK for 2.5.1 as well.
> 
>> This incidentally is fine for Ubuntu as well, since apparmor-notify is
>> not installed by default.
> 
> Jamie does bring up a good point, are there other ditributions for whom
> this change is problematic? I suppose if it is, it could be patched at
> build time (or the vendor could just use their own notify.conf, etc.).
> 
> I did add this to the 2.5.1 release notes.
> 
It would only be problematic if the notifier is setup so that it starts
running automatically.  Currently you have to take action to start the
notifier after it is installed.

If a distro did this then, perhaps changing the default would be worth
while but as long as our default is to package it as a separate installable
I think this is the way to go.



More information about the AppArmor mailing list