[apparmor] default profile
John Johansen
john.johansen at canonical.com
Fri May 10 21:56:01 UTC 2013
On 05/10/2013 02:51 PM, Seth Arnold wrote:
> On Fri, May 10, 2013 at 11:24:46AM -0700, John Johansen wrote:
>> currently the override to select the default profile is
>> apparmor.unconfined=0 or N
>>
>> and to select unconfined
>> apparmor.unconfined=Y
>>
>> this option is fine but I'm not fond of apparmor.unconfined=0 We could
>> change this so that the apparmor= boot option could select the values, so
>> something like
>>
>> apparmor=unconfined
>>
>> apparmor=default
>>
>> or something of the sort
>
> I don't care for apparmor.unconfined=0, that's too many
> double-negatives for me, as it were.
>
> apparmor=unconfined or apparmor=default are more to the point, but they
> feel like they are making broad statements about apparmor, but this only
> influences init and init's children. In the heat of 3am server debugging,
> this option is also bound to be confusing.
>
> How about:
>
> apparmor.init=unconfined
> apparmor.init=default
>
I like this
> or
>
> apparmor.init_profile=unconfined
> apparmor.init_profile=default
>
a little more verbose than I would like
> Yes, both are more verbose, but I think these names give a stronger hint
> that we are modifying init's profile at boot.
>
> (A third option, to allow name-your-profile, might be nice. Maybe. It
> would introduce yet more confusion into discussing policy, but 'default'
> might give the wrong connotation at some sites.)
>
This is possible, the name passed would be the name of the profile created
and then you need to make sure your policy matches
More information about the AppArmor
mailing list