On Thu, 2017-11-23 at 14:58 +0100, Christoph Hellwig wrote:
> On Thu, Nov 23, 2017 at 01:55:49PM +0000, Ben Hutchings wrote:
> > AppArmor is the default LSM.
> 
> There is no such thing as a default LSM in Linux.

$ grep DEFAULT_SECURITY /boot/config-4.13.0-1-amd64 
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
CONFIG_DEFAULT_SECURITY_APPARMOR=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="apparmor"

> > > The changelog suggests it was done that systemd units might use it,
> > > but in that case those systemd units should depend on apparmor.
> > 
> > They don't depend on AppArmor unless it's enabled.  Which is a decision
> > made in the kernel configuration (potentially overriden by the kernel
> > comamnd line).
> 
> So we should not need the recommends.
-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to