On Wed, 26 Jun 2019, Casey Schaufler wrote: > With the inclusion of the "display" process attribute > mechanism AppArmor no longer needs to be treated as an > "exclusive" security module. Remove the flag that indicates > it is exclusive. Remove the stub getpeersec_dgram AppArmor > hook as it has no effect in the single LSM case and > interferes in the multiple LSM case. So now if I build a kernel with SELinux and AppArmor selected, with SELinux registered first, I now need to use apparmor=0 at the kernel command line to preserve existing behavior (just SELinux running). This should at least be documented. I wonder if this will break existing users, though. Who has both currently selected and depends on only one of them being active? -- James Morris <jmorris@xxxxxxxxx>
