[PATCH v4 23/23] AppArmor: Remove the exclusive flag
James Morris
jmorris at namei.org
Thu Jun 27 02:22:13 UTC 2019
On Wed, 26 Jun 2019, Casey Schaufler wrote:
> With the inclusion of the "display" process attribute
> mechanism AppArmor no longer needs to be treated as an
> "exclusive" security module. Remove the flag that indicates
> it is exclusive. Remove the stub getpeersec_dgram AppArmor
> hook as it has no effect in the single LSM case and
> interferes in the multiple LSM case.
So now if I build a kernel with SELinux and AppArmor selected, with
SELinux registered first, I now need to use apparmor=0 at the kernel
command line to preserve existing behavior (just SELinux running).
This should at least be documented.
I wonder if this will break existing users, though. Who has both
currently selected and depends on only one of them being active?
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list