Re: [apparmor] Let's enable AppArmor by default (why not?)
On Sat, Nov 18, 2017 at 07:23:42PM -0800, John Johansen wrote:
> On 11/18/2017 01:59 PM, Marvin Renich wrote:
> > * John Johansen <john.johansen@canonical.com> [171118 16:02]:
> >> You can disable individual profiles without editing them and messing up the packaging by using aa-disable
> > [some really good beginner stuff snipped]
> >
> > John, many thanks for these tidbits. Can they be put in a text file in
> > /usr/share/doc/apparmor, with a NEWS.Debian entry pointing to it, so
> > that when the package is pulled in, the user has some idea where to
> > start? Since Thunderbird seems to be one of the problem packages,
> > having it in a text file on the local system seems like a good idea.
> >
>
> yes we can certainly create the text file, its a good idea. I'll leave it
> up to the debian maintainer to decide on the NEWS.Debian entry but it
> certainly sound like a good idea to me as well.
>
> > Actually, a short beginner's guide as a text file in
> > /usr/share/doc/apparmor, which has more than just "how to disable a
> > profile" would be extremely helpful. I don't have the apparmor
> > knowledge to write it, though.
> >
> yeah, I will start working on the doc. Make sure it has links to
> more comprehensive info (the wiki, ml, some man pages, etc.)
Thanks for doing that.
It would be awesome if you could also include some documentation in the
style "I'm a Debian package maintainer and the apparmor profile for some
of the binaries in one of my packages is buggy, how can I fix it?" or
"I'm a Debian package maintainer and I'd like to write an apparmor
profile for one of the binaries in my package, where do I start".
IMO, if apparmor is enabled by default, then making sure it works well
with particular programs is the responsibility of the maintainer of the
program in question.
Thanks again,
--
Could you people please use IRC like normal people?!?
-- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
Hacklab
Reply to: