Hi, Ben Hutchings: > On Mon, 2017-10-23 at 10:06 +0200, intrig...@debian.org wrote: >> A. Make AppArmor the default LSM in the kernel > [...] >> B. Configure bootloaders to enable AppArmor by default >> >> On https://bugs.debian.org/702030 a nice & flexible solution was >> designed; let's call it B.1. > [...] >> A short-term simpler option would be to drop a file in >> /etc/default/grub.d/ [...] Let's call this option B.2. > [...]
>> My personal preference is A > B.1. Ben & others, what do you think? > I agree. OK. Thanks for the prompt reply! > We really should have a common way to append things to the kernel > command line, which would allow a more general B.2, but this shouldn't > have to wait for that. ACK. So we're done wrt. LSM activation. Next step: figure out how to actually pull AppArmor utilities & policy by default (enabling the LSM is not very useful if we don't install those too). I think I can propose something about it this week. Cheers, -- intrigeri