openstack/ansible-hardening
Code Issues Proposed changes
Files
6fbe43adf1771a9c8201498baedc81f5d3d0a95f
ansible-hardening/doc/source/developer-notes/V-51337.rst
Major Hayden 6fbe43adf1 Allow AppArmor to be enabled 
This patch is a modified backport of the following two master commits:

  * Ia017f12be0d60ea74b54396bc8278e4db92295ba
  * Iae976f283df77556a71833f857a906097e6f8aeb

A clean backport isn't possible because master has some configuration for
SELinux, which doesn't make sense for Mitaka/Liberty. Also, master has
the LSM enabled by default and this change could be disruptive in a
stable release. It is now disabled by default in the backport.

Change-Id: Ia673c3634d719f16b324a0e8473ebca7ebf336fb
(cherry picked from commit 744e9b9ca7)
2016-06-14 12:12:38 +00:00

573 B
Raw Blame History

Opt-in required

The tasks in the security role can enable the Linux Security Module (LSM) that is appropriate for the Linux distribution in use. For Ubuntu, the default LSM is AppArmor. Refer to Ubuntu's AppArmor documentation for more details on how AppArmor works.

Deployers can opt in for this change by setting the following Ansible variable:

security_enable_linux_security_module: yes

Setting the variable to yes will run the tasks that enable AppArmor.