https://bugzilla.novell.com/show_bug.cgi?id=722915 https://bugzilla.novell.com/show_bug.cgi?id=722915#c0 Summary: AppArmor documentation outdated Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Documentation AssignedTo: ke@suse.com ReportedBy: suse-beta@cboltz.de QAContact: ke@suse.com Found By: --- Blocker: --- I just noticed that the AppArmor documentation in the security guide is outdated. http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.app... "18.5. Configuring Novell AppArmor Event Notification and Reports" Please hide this section - reporting is not available in 12.1 (aa-eventd isn't maintained upstream, and doesn't understand the (not-so-)new audit.log format) http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.app... "20.11. Setting Capabilities per Profile" "set capabilities" was dropped upstream - please remove this section http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.app... The online profile repository is disabled by default now - therefore most of this chapter should be hidden. The local profile repository /etc/apparmor/profiles/extras still exists. http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.app... "22.5. Updating Profiles from Log Entries" The box "Support for the External Profile Repository" should be hidden. "22.6. Managing Novell AppArmor and Security Event Status" Event notification depends on the (unmaintained) aa-eventd - please remove the parts about notification. You might also want to create a new screenshot. http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.app... has another reference to the online profile repo. http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.app... "26.1. Monitoring Your Secured Applications" "26.2. Configuring Security Event Notification" "26.3. Configuring Reports" are all about reports, which depend on aa-eventd and are not available in 12.1. Please hide those sections. 26.4. Configuring and Using the AppArmor Desktop Monitor Applet The Gnome desktop applet is obsolete. It was replaced by aa-notify, which can be started with: sudo DISPLAY=$DISPLAY /usr/sbin/aa-notify -p You also have to edit /etc/apparmor/notify.conf - change use_group to a group where your user is a member. BTW: the need for handing over $DISPLAY is caused by the very secure sudo config in openSUSE - it resets most environment variables. Maybe I get a more user-friendly way implemented upstream, but I'm afraid you'll always have to hand over $DISPLAY (or $DBUS_SESSION_BUS_ADDRESS) to aa-notify. Yes, I'm aware that this isn't a perfect solution, but it's the best I can offer for 12.1. http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.app... "27.4.5. Why are the Reports not Sent by E-Mail?" Another usage of aa-eventd - please hide. So far, so good. That was enough text to hide (don't delete it, reporting might come back and then you can re-use it ;-) There are also several things that need to be changed/updated: http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.app... contains several outdated links: - http://www.novell.com/linux/security/apparmor// now redirects to a general page about security. Please change it to http://wiki.apparmor.net - http://www.novell.com/documentation/apparmor/ contains terribly outdated documentation because the apparmor guid was merged into the security guide. Please change the link to the security guide. - the mailinglists have been merged into one and moved to https://lists.ubuntu.com/mailman/listinfo/apparmor http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.app... http://en.opensuse.org/AppArmor_Geeks has been moved to http://en.opensuse.org/SDB:AppArmor_geeks http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.app... "27.4.6. How to Exclude Certain Profiles from the List of Profiles Used?" There's an easier way now - run "aa-disable". It will create a symlink in /etc/apparmor.d/disable. To re-enable the profile, delete the symlink. (This method has the advantage that a profile doesn't reappear after updating the apparmor-profiles package.) "27.4.8. How to Spot and fix AppArmor Syntax Errors?" Additional method: Open the buggy profile in vi. The syntax highlighting will mark lines with syntax errors with red background. And finally there are some things that are not documented yet: aa-notify partly replaces aa-eventd - besides the desktop notification, it can print reports based on the audit.log. This can also be used to mail daily reports by using aa-notify -s 1 -v | mail -s 'AppArmor report' user@host in a cronjob. http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.app... does not mention the "cx" (execute in child profile) permissions, and maybe other new profile rules. There are probably some more things the documentation doesn't cover yet. See http://wiki.apparmor.net/index.php/ReleaseNotes_2_4 http://wiki.apparmor.net/index.php/ReleaseNotes_2_5 http://wiki.apparmor.net/index.php/ReleaseNotes_2_6 http://wiki.apparmor.net/index.php/ReleaseNotes_2_7 for the changelogs. If you have questions, feel free to ask ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.