In qubes 4.1, should apparmor be automatically enabled after setting it in the minimal template?
Here is my list of packages in a minimal template:
qubes-core-agent-passwordless-root
zenity
pulseaudio-qubes
qubes-core-agent-networking
qubes-mgmt-salt-vm-connector
qubes-core-agent-nautilus
gnome-terminal
nautilus
gnome-themes-extra
htop
xfce4-notifyd
mousepad
apparmor
apparmor-utils
apparmor-profiles
apparmor-profiles-extra
apparmor-notify
auditd
audispd-plugins
After reboot I check aa-status | cat /proc/cmdline:
~ aa-status
apparmor module is loaded.
apparmor filesystem is not mounted.
Should I manually install kernelopts?
As far as I remember, on my second machine, after installing apparmor in the minimal template, it immediately worked without the need to install kernelopts.
I know these options can be set manually, but shouldn’t qubes 4.1 set these options automatically when apparmor is installed? On my other machine, when I installed apparmor in the minimal template, these options were automatically set if I’m not mistaken. How are these options set in the standard debian-11 template if the qvm-prefs kernelopts options are empty?
Debian has enabled AppArmor by default since the buster release, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses the dom0 (not VM) kernel by default. Therefore this step is still required even though Kicksecure ™ is based on a recent enough Debian version.
Okay, I understand that cubes use the dom0 kernel, but the debian-11 default template also uses the dom0 kernel, and it also has an empty response when asked for qvm-prefs kernelopts , which means they are set by the kernel itself, right? It also doesn’t explain the fact that on another machine these parameters were automatically set in my minimal template. Thanks for the replies, just trying to figure it out.