[apparmor] Let's enable AppArmor by default (why not?)
John Johansen
john.johansen at canonical.com
Mon Nov 20 17:04:44 UTC 2017
On 11/20/2017 08:06 AM, daniel curtis wrote:
> Hello
>
> In His answer about removing the profile etc., Mr. John Johansen wrote, that "it is important to do removal before adding the symlink (...)" [see 1.]
>
> However, according to the Ubuntu "AppArmor Community Help Wiki" [see 2.] users should first make a symlink via ln(1) command and next use an apparmor_parser(8) utility along with '-R' option. So, this is the opposite of what Mr. Johansen has wrote.
>
> I thought, that maybe in such a situation Community Help Wiki should be updated to contain a proper way to disable one profile. What do you think? By the way; I have always used the method mentioned on Wiki - without problems.
>
> But now, thanks to Mr. Johansen, I will first remove profile before adding symlink.
>
>It looks like that has been fixed, so my suggested ordering isn't required, and the other ordering is even slightly preferred as adding the symlink first will keep a racing profile load/restart for reloading the profile right after you remove it. It used to be even on profile removal the symlink would be used resulting in the removal not happening. I guess I forgot about that being fixed.
More information about the AppArmor
mailing list