[apparmor] handling disable and complain (was: Re: [patch] mkdir /etc/apparmor.d/disable)

Christian Boltz apparmor at cboltz.de
Wed Oct 19 22:31:45 UTC 2011


Am Mittwoch, 19. Oktober 2011 schrieb John Johansen:
> Now for the rant.
> I absolutely detest this mechanism for disable and complain (yes I
> know why it was done), and would prefer we revisit this again for the
> future 

The method with symlinks in /etc/apparmor.d/disable has some advantages:
- no need to edit the profiles
- profiles don't magically come back (which could happen if you delete a 
  profile and then install a new apparmor-profiles package)
- enabling or disabling a profile is easy (just create/delete a symlink)

I'm open for your proposal of a better mechanism - ideally it has all 
the advantages I listed above and fixes all the things you don't like 

> (I know a collective scream of no). </rant>



Christian Boltz
