On 06/18/2014 05:44 PM, Steve Beattie wrote: > Allow apache hats to receive signals from unconfined. > > [I'm on the fence about this. On the one hand, unconfined should be able > to kill thing in hats. On the other, using apache2ctl/apachectl is > preferred to shutdown apache, and it uses the apache binary itself (and > the profile it runs under) to kill its children.] > Generally speaking taking away signals from unconfined is unexpected and can really break the system, its really unexpected for most sysadmins. So the general rule for includes has been to mimic the old unconfined behavior, and if tighter confinement is needed then a profile can use denies or not use the base includes we supply.
If any of the hats use the base provided abstraction they are going to get signals and tracing from unconfined anyways. So I think it makes sense to have this as the default for apache hats, and if the user really wants something tighter they will need to tweak policy. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor