On 05/08/2013 05:40 PM, Seth Arnold wrote: > On Wed, May 01, 2013 at 02:30:53PM -0700, John Johansen wrote: >> --- a/security/apparmor/Kconfig >> +++ b/security/apparmor/Kconfig >> @@ -29,3 +29,14 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE >> boot. >> >> If you are unsure how to answer this question, answer 1. >> + >> +config SECURITY_APPARMOR_UNCONFINED_INIT >> + bool "Set init to unconfined on boot" >> + depends on SECURITY_APPARMOR >> + default y >> + help >> + This option determines policy behavior during early boot by >> + placing the init process in the unconfined state, or the >> + 'default' profile. >> + >> + If you are unsure how to answer this question, answer Y. > > I think this description needs some enhancement; I thought the boolean > was the other way around until I thought I spotted a bug with a ! in > the conditionals. > > How about: > >> + This option determines policy behavior during early boot by >> + placing the init process in the unconfined state, or the >> + 'default' profile. >> + >> + 'Y' means init and its children are not confined, and never >> + can be confined; loaded policy will only apply to processes >> + started afterwards. >> + >> + 'N' means init and its children are confined in a profile >> + named 'default', which can be replaced later and thus >> + provide for confining even processes started early at boot, >> + though not confined during early boot. This can provide for >> + complete system confinement. >> + >> + If you are unsure how to answer this question, answer Y. > > Thanks > sure thats better
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
