Comment # 6 on bug 1134906 from 
(In reply to Michal Kube��ek from comment #4)
> I'm aware that unlik some other LSMs, AppArmor generally uses "opt-in" model
> but I better ask explicitly: can we be sure setting LSM="integrity,apparmor"
> cannot cause any trouble even with e.g. userspace tools and/or profiles not
> installed or installed but corresponding service disabled etc.?

AppArmor has been enabled by default on current suse releases.

The apparmor kernel module starts in an unconfined mode if no policy is loaded.
This means the system will boot and function as a regular DAC based unix until
policy is loaded. Disabling the apparmor service (userspace component), will
mean policy won't be loaded, so the system will function as if apparmor is not
there.

Even with policy loading, suse has policy configured so that only some tasks
are confined (opt-in) and the rest of the system behaves as if apparmor is not
there.

You are receiving this mail because: