Web lists-archives.com

Re: recommends for apparmor in newest linux-image-4.13




On Thu, 2017-11-23 at 14:18 +0100, Christoph Hellwig wrote:
> Hi all,
> 
> is there any good reason for the recommends of apparmor in the latest
> linux packages?  apparomor is just one of many security modules, and
> a fairly bogus one to start with.  The kernel should not recommend it
> as it doesn't add at all to the expected kernel functionality.

AppArmor is the default LSM.

> The changelog suggests it was done that systemd units might use it,
> but in that case those systemd units should depend on apparmor.

They don't depend on AppArmor unless it's enabled.  Which is a decision
made in the kernel configuration (potentially overriden by the kernel
comamnd line).

Ben.

> And to start with there probably should be a policty that no unit
> file shall fail the boot for a missing security module (any of them).

-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson

Attachment: signature.asc
Description: This is a digitally signed message part