Mathieu Parent: > Could'nt we: > 5. Make linux-image-$abi-$arch Depends on apparmor | selinux-basics | > tomoyo-tools | linux-no-lsm
> With linux-no-lsm being a new empty package, and all of apparmor, > selinux-basics, tomoyo-tools enable the corresponding LSM. This would be ideal on the long term and a lot of thought has been put into it (#702030), but it requires quite some work in various places and AFAIK nobody looked into how it could work for non-GRUB bootloaders; I suspect some of the major bootloaders we support don't offer the same flexibility as GRUB wrt. random packages injecting parameters on the kernel command line. As Ben Hutchings wrote on https://bugs.debian.org/879590#10, "We really should have a common way to append things to the kernel command line […] but this shouldn't have to wait for that" with which I couldn't agree more. Thankfully we already have another, cheap solution to address the "how to enable the AppArmor LSM in the kernel" problem :) So now I'd rather focus on the other, remaining problem, i.e. "how to pull in the AppArmor policy + userspace tools". Cheers, -- intrigeri
