Re: Bug#879590: Making apparmor "Priority: standard"? [Was: Bug#879590: apparmor: Decide how we enable AppArmor by default]
> intrigeri <firstname.lastname@example.org> (2017-10-25):
>> I'm working on the last blockers towards starting the experiment I've
>> proposed on debian-devel@ 2.5 months ago, i.e. enabling AppArmor by
>> default for a while in testing/sid.
> Does it make sense to have it installed everywhere, including in
> chroots, containers, etc., or should it be mainly installed in d-i
> installed systems?
It makes sense in any kind of system that runs its own Linux kernel:
not in chroots & containers (there's WIP upstream for allowing
containers to stack their own AppArmor policy on top of the host's one
but we're not there yet), but definitely in systems installed by d-i
(be it during initial installation or dist-upgrades, see the email
I've just sent to -devel@ about the latter).
>> Enabling AppArmor by default on new installations requires two
>> 1. enable the LSM in Linux: problem solved, Ben Hutchings is fine with
>> doing this in src:linux
>> 2. install the apparmor package by default.
> It seems it's built on non-Linux ports as well, does it make sense to
> have it installed there? Please poke debian-bsd@ and debian-hurd@ if in
No, it doesn't make sense to install it there; it shouldn't harm
either. So far I've kept src:apparmor building on non-Linux ports in
the hope some portability issues turn out to be real bugs that affect
Linux too, but this never happened. So if it simplifies the problem
let's build the package only on Linux ports.
>> My understanding is that making the apparmor package "Priority:
>> standard" i the way to go. Correct?
> Depends on the first question above.
Replied. Anything else you need from me to answer this question?
> Thanks for checking with us in any cases. :)
No problem, I don't want to cause issues that could easily be