[pkg-apparmor] Bug#879585: apparmor: Pin the AppArmor feature set in Stretch to Linux 4.9's
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Dec 5 10:06:10 UTC 2017
On Mon, Oct 23, 2017 at 08:34:58AM +0200, intrigeri at debian.org wrote:
> Package: apparmor
> Version: 2.11.0-3
> Severity: important
>
> This is about supporting Stretch users who have enabled AppArmor
> and run a new kernel, e.g. from stretch-backports.
>
> Similarly to #879584, let's pin the AppArmor feature set to the one
> supported by the Stretch stock kernel, i.e. the one the AppArmor
> policy shipped in Stretch works well with.
sorry for the late reaction, somehow this flew under our radar..
is there a particular reason for not putting this into the (included by
default) /usr/share/apparmor, but into parser.conf directly?
this makes life of admins / downstreams using a newer kernel / policy /
feature set unnecessarily harder, as there is no way to override this
features-file config directive now besides
- messing with an apparmor-owned config file (possible for an admin, not
really an option for a derivative/downstream)
- re-building the apparmor package (lots of effort for overriding a
single config line)
putting it into /usr/share/apparmor would allow drop-in replacement by
other packages and have the same net effect on stock Debian systems, at
least if I understood the terse parser.conf comments and apparmor_parser
man page correctly ;)
(thanks a lot for working hard on getting AA to work OOTB in Debian BTW
- long overdue and really looking forward to it!)
More information about the pkg-apparmor-team
mailing list