On 08/27/2014 07:28 PM, intrigeri wrote: > Hi (again!), > > Jamie Strandboge wrote (20 Aug 2014 21:43:59 GMT) : >> * When shipping in a package, ideally the package should support both >> complain >> and enforce mode for individual profiles so that installing it may enable >> enforcing policy (this isn't a collaboration concern, just a packaging >> one) > > I'm not sure I understand what you mean here. May you please point me > to an example of what you find to be the best practice in this area? > I think I changed my thought and didn't read what I sent carefully enough. What I meant to say is: * When shipping several profiles in common policy package, ideally the package would ship each individual profile in enforcing mode so when the policy package is installed, there is nothing more the user has to do to enable the policy. You may want to ship some individual profiles in complain mode if they aren't fully baked or dependent on certain configuration of the confined app.
On that note, in Ubuntu, we don't turn on policy by default unless the policy works for all the common cases (and even some uncommon ones). This results in policy that is not as restricted as it could sometimes be, but achieves a greater good by having a perhaps slightly less restrictive policy enabled for everyone. This has proved to be a very worthwhile compromise since users are happier. In other words, our philosophy is that users shouldn't have to be aware that AppArmor is enabled and protecting them in the vast majority of the time. I personally think this makes a lot of sense for Debian too. :) >> * shipping all policy in one package means more is loaded and compiled than >> is >> strictly needed for the system > > Sure. As long as we're only shipping a handful of profiles in that > policy package, this should not be a big deal, though. > Right-- a few profiles isn't bad and now I better understand the goals of this package. I think we are all hoping that by working together we can have scores of profiles, so having the discussion now and thinking about when that day comes is worthwhile. -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
