On 05/10/2013 02:51 PM, Seth Arnold wrote: > On Fri, May 10, 2013 at 11:24:46AM -0700, John Johansen wrote: >> currently the override to select the default profile is >> apparmor.unconfined=0 or N >> >> and to select unconfined >> apparmor.unconfined=Y >> >> this option is fine but I'm not fond of apparmor.unconfined=0 We could >> change this so that the apparmor= boot option could select the values, so >> something like >> >> apparmor=unconfined >> >> apparmor=default >> >> or something of the sort > > I don't care for apparmor.unconfined=0, that's too many > double-negatives for me, as it were. > > apparmor=unconfined or apparmor=default are more to the point, but they > feel like they are making broad statements about apparmor, but this only > influences init and init's children. In the heat of 3am server debugging, > this option is also bound to be confusing. > > How about: > > apparmor.init=unconfined > apparmor.init=default > I like this
> or > > apparmor.init_profile=unconfined > apparmor.init_profile=default > a little more verbose than I would like > Yes, both are more verbose, but I think these names give a stronger hint > that we are modifying init's profile at boot. > > (A third option, to allow name-your-profile, might be nice. Maybe. It > would introduce yet more confusion into discussing policy, but 'default' > might give the wrong connotation at some sites.) > This is possible, the name passed would be the name of the profile created and then you need to make sure your policy matches -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
