[pkg-apparmor] Bug#879590: apparmor: Decide how we enable AppArmor by default
Ben Hutchings
ben at decadent.org.uk
Mon Oct 23 22:10:00 UTC 2017
On Mon, 2017-10-23 at 10:06 +0200, intrigeri at debian.org wrote:
> Package: apparmor
> Version: 2.11.0-11
> Severity: normal
> X-Debbugs-Cc: Ben Hutchings <benh at debian.org>
>
> Hi,
>
> we're discussing whether to enable AppArmor by default during the
> Buster cycle, but we have no actual plan wrt. how to do it.
> There are several options:
>
> A. Make AppArmor the default LSM in the kernel
>
> i.e. set CONFIG_DEFAULT_SECURITY="apparmor"
> and CONFIG_DEFAULT_SECURITY_APPARMOR=y.
[...]
> B. Configure bootloaders to enable AppArmor by default
>
> On https://bugs.debian.org/702030 a nice & flexible solution was
> designed; let's call it B.1.
[...]
> A short-term simpler option would be to drop a file in
> /etc/default/grub.d/ [...] Let's call this option B.2.
[...]
> C. Anything else?
>
> My personal preference is A > B.1. Ben & others, what do you think?
I agree.
We really should have a common way to append things to the kernel
command line, which would allow a more general B.2, but this shouldn't
have to wait for that.
Ben.
--
Ben Hutchings
The most exhausting thing in life is being insincere. - Anne Morrow
Lindberg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20171024/21e642eb/attachment.sig>
More information about the pkg-apparmor-team
mailing list