[apparmor] default profile
Seth Arnold
seth.arnold at canonical.com
Fri May 10 21:51:44 UTC 2013
On Fri, May 10, 2013 at 11:24:46AM -0700, John Johansen wrote:
> currently the override to select the default profile is
> apparmor.unconfined=0 or N
>
> and to select unconfined
> apparmor.unconfined=Y
>
> this option is fine but I'm not fond of apparmor.unconfined=0 We could
> change this so that the apparmor= boot option could select the values, so
> something like
>
> apparmor=unconfined
>
> apparmor=default
>
> or something of the sort
I don't care for apparmor.unconfined=0, that's too many
double-negatives for me, as it were.
apparmor=unconfined or apparmor=default are more to the point, but they
feel like they are making broad statements about apparmor, but this only
influences init and init's children. In the heat of 3am server debugging,
this option is also bound to be confusing.
How about:
apparmor.init=unconfined
apparmor.init=default
or
apparmor.init_profile=unconfined
apparmor.init_profile=default
Yes, both are more verbose, but I think these names give a stronger hint
that we are modifying init's profile at boot.
(A third option, to allow name-your-profile, might be nice. Maybe. It
would introduce yet more confusion into discussing policy, but 'default'
might give the wrong connotation at some sites.)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130510/73dfe78c/attachment.pgp>
More information about the AppArmor
mailing list