[apparmor] replacing unconfined and doing global policy
john.johansen at canonical.com
Thu Apr 5 16:50:35 UTC 2012
On 04/05/2012 09:27 AM, Seth Arnold wrote:
> Would we have to also remove controls like "only unconfined can reload policy"? Or did we do that already when cap mac_admin was introduced? Would we want to add new policy language to provide fine-grain control of cap mac_admin?
right the unconfined controls where replaced with cap mac_admin, but we still want to have better controls than that so the users can load their own policy (at some point in the future)
More information about the AppArmor