Default mode for apparmor profiles : complain or enforce ?

Kees Cook kees at
Wed Jun 6 20:07:38 BST 2007


On Tue, Jun 05, 2007 at 04:56:07PM -0400, Mathias Gug wrote:
> So to avoid the same fiasco, I thought about shipping all profiles in
> complain mode at first. Once profiles have been more tested, they could
> be installed in enforce mode by default.
> Any comments on that ?

I think this is probably a good idea for at least Gutsy.  For people
that have heavily customized server daemons, we may run into conflicts
between sane configs/profiles and customization.  Until there is an
automated way to notify AppArmor users about audit log messages, some
people may not notice the complain warnings.  However, that's still
probably better than having some service start to break in weird ways.

The updates you've made to seem to
cover the immediate needs for toggling enforce/complain mode for anyone
doing AppArmor testing.


Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : 

More information about the ubuntu-devel mailing list