Default mode for apparmor profiles : complain or enforce ?
Mathias Gug
mathiaz at ubuntu.com
Tue Jun 5 21:56:07 BST 2007
Hi,
I'm currently working on AppArmor integration. I was wondering wether
profiles should be installed in complain or enforce mode by default.
In complain mode, the application is not stopped from doing its job.
Policy violation are only logged.
In enforced mode, the application is denied access to ressources. Which
tends to break things badly.
When SELinux was enabled by default in FC2, things went really bad
and most of the people just turned it off.
So to avoid the same fiasco, I thought about shipping all profiles in
complain mode at first. Once profiles have been more tested, they could
be installed in enforce mode by default.
Any comments on that ?
Mathias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20070605/efeb7c16/attachment.pgp
More information about the ubuntu-devel
mailing list