Hi, Meta: this bug report is about deciding how we enable AppArmor by default; if you want to follow-up on unrelated discussions or start new ones, please do so in better suited places :)
Christoph Anton Mitterer: > On Wed, 2017-11-01 at 07:40 +0100, intrigeri wrote: >> Indeed, it would have been nice. Can you please report a bug against >> src:linux about it? > I already had: > #880441 Thanks, I'll follow up there then (we don't need to have the same discussion in two different places). > Nov 1 00:30:23 heisenberg systemd[18635]: tor@default.service: Failed at > step APPARMOR spawning /usr/bin/tor: No such file or directory > Nov 1 00:30:23 heisenberg kernel: [ 6315.674076] audit: type=1400 > audit(1509492623.442:7): apparmor="DENIED" operation="change_onexec" > info="label not > found" error=-2 profile="unconfined" name="system_tor" pid=18635 comm="(tor)" That's #880490, fixed in sid already. > I'm just surprised that it denies anything at all, without having the > policy packages installed (or vice versa, that it allows most things > when enabled in the kernel). It does *not* deny anything at all without having the apparmor package installed: #880490 is not about AppArmor denying something, it's about systemd trying to switch to an AppArmor profile that's not loaded, precisely because the apparmor package is not installed. > Apart from that: > Was there already a broad discussion in Debian about which LSM to go > for? There's been an ongoing discussion on debian-devel@ since ~3 months. Cheers, -- intrigeri