https://bugzilla.novell.com/show_bug.cgi?id=482563 Summary: Help in Profile Configuration Only Partially Explains the Difference Between Complain and Enforce Classification: openSUSE Product: openSUSE 11.0 Version: Final Platform: x86-64 OS/Version: openSUSE 11.0 Status: NEW Severity: Enhancement Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: alpha096@virginbroadband.com.au QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.6) Gecko/2009012700 SUSE/3.0.6-0.1 Firefox/3.0.6 The Help in the Apparmour Profile Mode Configuration currently states the difference between Enforce and Complain as being "Profile Mode Configuration This tool allows you to set AppArmor profiles to either complain or enforce mode. Complain mode is a profile training state that logs application activity, but does not restrict the application's behaviour. Profiles in enforce mode are protected by AppArmor" We do not currently explain very well that it is used before we commit a new profile to enforce a policy. Whilst the new profile is in learning mode and decisions made whilst the profile is yet to be proven as not having a negative impact we need to leave the profile in Complain Mode. In Complain Mode the user will receive system mail addressed in the notifications area on any possible negative impact. After we are satisfied that there has been no impact on the normal functions of the application we want to protect, the profile can be set to enforce the new learned values. If any conflicts still remain in the changed or new profile there will be no notification once set to enforce. The learned or changed values will simply be enforced by apparmour. Complain Mode is used to enable system mail to be sent to the address in the notifications section, however Enforce will Enforce the new or changed attributes and no notifications will be sent. You can play with this as much as you wish Katarina. What do you think my chances are to request an enhancement for more default profiles - it has not been so good in the past? Reproducible: Always Steps to Reproduce: 1.The current help text is quoted above from the application help button. 2. 3. Actual Results: Confusion and not a great deal of clarity - most people are scared to death of apparmour Expected Results: Users should be given the tools to make confident decisions on the creation on new profiles via help. Katarina, God I wish we could do something in the future to sort out our firewall - I have so many more useful ideas on changing it a great deal. The way it is it really only helps for those users who use their PC's and 2 NIC's to route their comms. For the vast number who let their hardware do that job, rather than waste a PC, our current firewall just isn't much help. Not many use a PC to do their comms, host the web site and provide DNS Services. Its just too cheap to host your site off-line with no back-up/data loss scenario's and let your hardware do what it was designed to do. And I am a security consultant - I will always recommend hardware security and routing above a PC - Stealth and protection start at the plug in the wall and finish with the desktop not visa versa. Anyway their is so much good we could do here - but I can tell you - NO one ever gets anyone to even listen when Yast changes are envolved. Thanks for the encouragement Katarina - where has my coffee and smokes gone to now........? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.