[apparmor] replacing unconfined and doing global policy

John Johansen john.johansen at canonical.com
Thu Apr 5 16:50:35 UTC 2012

On 04/05/2012 09:27 AM, Seth Arnold wrote:
> Would we have to also remove controls like "only unconfined can reload policy"? Or did we do that already when cap mac_admin was introduced? Would we want to add new policy language to provide fine-grain control of cap mac_admin?

right the unconfined controls where replaced with cap mac_admin, but we still want to have better controls than that so the users can load their own policy (at some point in the future)

More information about the AppArmor mailing list