[apparmor] RFC: draft proposal for enabling AppArmor by default in Debian
intrigeri
intrigeri at debian.org
Thu Aug 3 22:33:22 UTC 2017
Christian Boltz:
> your mail looks great,
Thanks :)
> ... secret__ keys ...
Right, fixed.
>> A proposal
>> ==========
> ...
>> Note that the best way to address them quickly enough is sometimes
>> to simply disable the problematic AppArmor profile: it's cheap,
>> doesn't require advanced AppArmor skills, and IMO a smaller
>> AppArmor policy enabled by default is more useful than a broader
>> but less robust one that only a couple thousand users benefit from.
> I understand why you wrote this, but I'd still prefer to recommend
> aa-complain + collecting logs here ;-)
Yeah, I would love to, but deny rules are enforced even in "complain"
mode. This behavior has already confused at least two Debian package
maintainers and a few users that I know of personally, so I'd rather
not recommend maintainers to ship profiles in a "almost disabled but
not quite" state unless they really know what they're doing.
Anyway, that's an implementation detail at this stage of the (Debian)
discussion: "disable" in this context is not well defined; it can mean
"disable" (as in aa-disable) or "complain" (as in aa-complain),
depending on what we think is best :)
> I apply the same strategy to openSUSE, so feel free to change this to
> ... like Ubuntu _and openSUSE_, we're shipping ...
Sure; done.
> Enjoy DebCamp and DebConf, and good luck in getting AppArmor enabled by
> default!
Thanks!
More information about the AppArmor
mailing list