[apparmor] Generate a default/fallback profile? No blacklisting

alexofen alexofen at gmail.com
Wed Dec 19 13:55:50 UTC 2012

Dear people working with AppArmor,

I have read the FAQ Wiki:
This point gives me quite some trouble
I would ask for your assistence.

I cannot understand. Either there is enough safety by the ordinary linux 
(DAC style) file permissions which makes AppArmor and other MACs rather 
superflous or there is a good point in having AppArmor which then it 
makes little sense to me to be satisfied that any unkonwn Program 
results into an unconfined execution of this code?

Is there a way to have something like a fallback/default deny thing for 
applications that are not profiled?

The ease of deployment should not be the primary concern and the safety 
sacrifized. The product sold (AppArmor)
without profiles is rather useless (as it is in most desktop Ubuntus) 
and I assume only by setting it active fall all programs via
a default profile that is limiting would be a safe solution.

I do not wanna provoke or insult etc. And if for heaven's sake it must 
be that we have cases in which AppArmor
is deployed with this kind of "everything unprofiled is white", that is 
ok. But what is the trick to setup a default profile

Thank you for your support, understanding and  assistence


More information about the AppArmor mailing list