On Sat, 12 Jun 2021 at 15:33, Lars Veldscholte <l...@tuxplace.nl> wrote: > I am not sure of the proper way to deal with this issue. Should I > install the AppArmor userspace utilities, even though I do not need them > myself? Or should I disable AppArmor completely by explicity setting a > kernel parameter (which the Debian wiki does not recommend)?
If you don't completely disable AppArmor but also do not install the userspace utilities, you will always be in this halfway state where AppArmor *is* enabled, but most programs won't be able to use/deal with it effectively. If you really want to avoid AppArmor completely, I would suggest actually disabling it, although just installing the userspace utilities will allow your containers to benefit from AppArmor-based protections -- it's another layer of protection (and my experience using the Debian implementation of AppArmor on both desktop and server systems is that it stays out of the way pretty well). > In the former case, docker.io should probably depend on the apparmor > package (it is currently a recommendation), since Docker is not usable > (as far as I understand) without it. Looking at [1], Recommends: is definitely appropriate here: | This declares a strong, but not absolute, dependency. | | The Recommends field should list packages that would be found together with this one in all but unusual installations. [1]: https://www.debian.org/doc/debian-policy/ch-relationships.html#binary-dependencies-depends-recommends-suggests-enhances-pre-depends ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
