Upcoming change: rsyslog's apparmor enforced by default
Steve Langasek
steve.langasek at ubuntu.com
Sun Feb 12 05:48:25 UTC 2023
Hi Andreas,
On Sat, Feb 11, 2023 at 02:45:17PM -0300, Andreas Hasenack wrote:
> Hi,
> In the next few days, if all goes according to plan, I'll upload
> rsyslogd to lunar with a change[1] to the way its apparmor profile is
> applied.
> The confinement status won't be changed during upgrades, but fresh
> installs will have the apparmor profile enforced by default. Up until
> now, it's been disabled.
Can you elaborate on this decision not to change the behavior on upgrade?
It's expected on upgrade between releases that behavior will change; and to
not enforce for upgrading users means a difference in configs between new
installs and upgrades that complicates the support matrix over the long
term.
I am strongly in favor of making the behavior on upgrade conform to the
behavior on new installs - even if that means there might be some unpleasant
surprises where the package fails to configure because of apparmor being
enabled. That seems unlikely to me in any case; even if the user has
diverged from the stock rsyslog config, it seems more likely to me that the
daemon would still start up but might in some cases fail to log. Again,
behavior changes are expected across release upgrades.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20230211/5d763f75/attachment.sig>
More information about the ubuntu-devel
mailing list