On Mon, Oct 23, 2017 at 08:34:58AM +0200, intrig...@debian.org wrote: > Package: apparmor > Version: 2.11.0-3 > Severity: important > > This is about supporting Stretch users who have enabled AppArmor > and run a new kernel, e.g. from stretch-backports. > > Similarly to #879584, let's pin the AppArmor feature set to the one > supported by the Stretch stock kernel, i.e. the one the AppArmor > policy shipped in Stretch works well with.
sorry for the late reaction, somehow this flew under our radar.. is there a particular reason for not putting this into the (included by default) /usr/share/apparmor, but into parser.conf directly? this makes life of admins / downstreams using a newer kernel / policy / feature set unnecessarily harder, as there is no way to override this features-file config directive now besides - messing with an apparmor-owned config file (possible for an admin, not really an option for a derivative/downstream) - re-building the apparmor package (lots of effort for overriding a single config line) putting it into /usr/share/apparmor would allow drop-in replacement by other packages and have the same net effect on stock Debian systems, at least if I understood the terse parser.conf comments and apparmor_parser man page correctly ;) (thanks a lot for working hard on getting AA to work OOTB in Debian BTW - long overdue and really looking forward to it!)
