http://bugzilla.novell.com/show_bug.cgi?id=531512 Scott Couston changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alpha096@virginbroadband.co | |m.au Depends on| |531162 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=531512 http://bugzilla.novell.com/show_bug.cgi?id=531512#c Katarina Machalkova changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=531512 http://bugzilla.novell.com/show_bug.cgi?id=531512#c3 Jozef Uhliarik changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |juhliarik@novell.com AssignedTo|jsrain@novell.com |juhliarik@novell.com --- Comment #3 from Jozef Uhliarik 2010-03-23 18:24:00 UTC --- OK guys "I am" new maintainer of yast nodule for AppArmor. I try to fix it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c4 --- Comment #4 from Scott Couston 2011-09-08 07:24:05 UTC --- Created an attachment (id=449712) --> (http://bugzilla.novell.com/attachment.cgi?id=449712) Security IS a real Global threat we continue to ignore and provide inadequate protection - See hyperlinks in pdf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c Scott Couston changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEW Component|AppArmor |AppArmor Version|Final |Milestone 1 AssignedTo|jsrain@suse.com |jeffm@suse.com Product|openSUSE 11.1 |openSUSE 12.1 Target Milestone|--- |Milestone 1 Summary|Yast AppArmor - Unable to |Yast AppArmor - Serious |Save Changes to:- and |Problems with the WHOLE |Serious Problems with the |Collection -Strongly |WHOLE Collection of |Suggest Total Rewrite |AppArmor Icons off YaST | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jeffm@suse.com |juhliarik@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c7 Jiri Srain changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |scott@aphofis.com AssignedTo|jeffm@suse.com |jsrain@suse.com --- Comment #7 from Jiri Srain 2011-09-29 09:31:37 UTC --- Scott, I'm trying to look into this bug. You are right that the YaST AppArmor module deserves a rewrite, but still think that this can be done continuously as individual components of AppArmor are developing as well; it makes no sense to rewrite YaST knowing that it will have to be rewritten again for next version of AppArmor. To your bug in the initial comment: Security Event Notification is now fixed (in SVN trunk, will go to Factory latest early next week) Security Event Report - where it is not possible .... don't understand this one Security Event Report - where the 'Next" .... fixed in SVN trunk Add Profile Wizard - I could not find the texts which you mentioned anywhere; still valid in Factory? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c9 --- Comment #9 from Jiri Srain 2011-09-29 12:39:49 UTC --- Add Profile Wizard's first step is now a full-window dialog. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c11 --- Comment #11 from Scott Couston 2011-10-03 00:42:22 UTC --- Created an attachment (id=454109) --> (http://bugzilla.novell.com/attachment.cgi?id=454109) Image to clarify confusion of Add Profile Wizard - I could not find the texts which you mentioned anywhere; still valid in Factory Jiri - Dont worry - You never insult me at all - Even though most users are volunteers I still treat the project with professionalism. Nothing I write is ever meant to be personal - I have been working in I.T for over 28 years now. I helped create 'secure flight' if you want to google it - The box is in the U.K! I would be most happy to write English technical help/Help Screens in Yast. I have written functional specifications for both technical and non technical audiences countless times. Ask me for anything please :-) I am sure you are aware of the world wide, agreement; for the first time, that the Internet needs to become a great deal more secure. I know there are huge efforts being made to try and achieve this at a very high level. If you look at the dependant bugs you can see my thoughts on Drastically Enhancing Security. In short I thing we can to do a few major things. 1. Get rid of this hopeless external/Internal zone firewall stuff - It offers little security AND hampers any further attempts to increase security. 2. As we do have the processing power, unlike our competitor, we can build an ALG process where we can filter the payload data or the TCP part of HTTP/FTP/VOIP 3. Move ALL data payload traffic to HTTPS/POP3-SSL/FTP-SSL....etc. via the huge implementation of the PKI's world wide in huge numbers, however the problem here is SELF signed certificates...I have many ideas and happy to talk about security - Its my Full-Time job - IPV6 will solve nothing as far as security goes...Sorry for the lengthy texts from me always...:-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c13 Jiri Srain changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |suse-beta@cboltz.de --- Comment #13 from Jiri Srain 2011-10-04 11:12:45 UTC --- I tried to reproduce the weird strings, but failed. I fact, I even could not find the dialog in the screenshot, could you, please, specify the version of openSUSE, yast2-apparmor as well as all apparmor packages? Or, could you also reproduce it with 12.1 snapshots? Analyzing current code, there is only one place where these weird strings could get into YaST (all other radio buttons have hardcoded labels), and that comes form AppArmor itself. Cristian, as you helped me during last week, do you have any idea where they can come from? (see screenshot in comment #11) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c15 --- Comment #15 from Jiri Srain 2011-10-04 12:40:54 UTC --- Looking at the code, the whole dialog (including the buttons below) comes from AppArmor.pm. The YaST code works only as an interpreter here. To enhance the help, it would be desirable that it was provided directly by AppArmor.pm (or at least this one needs to hint YaST that it does not show the usual contents - file, resource, which program accessed and asks for permission - but a profile from the repository. Without this information, YaST has quite a hard time to exchange even the help (well, that would only be possible based on the buttons, which does not sound error-proof). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c17 --- Comment #17 from Scott Couston 2011-10-04 22:18:08 UTC --- Jiri, can we move to online help updates, the same way we have functional updated for all yast services?? It would make updates/corrections so easy?...Just a thought -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c19 --- Comment #19 from Bernhard Wiedemann 2011-10-05 16:00:07 CEST --- This is an autogenerated message for OBS integration: This bug (531512) was mentioned in https://build.opensuse.org/request/show/86668 Factory / yast2-apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c21 --- Comment #21 from Jiri Srain 2011-10-06 08:52:54 UTC --- The only log I will need is /var/log/YaST2/y2log at the point of time when the weird dialog is shown. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c23 Scott Couston changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|scott@aphofis.com | --- Comment #23 from Scott Couston 2011-10-06 22:32:58 UTC --- Created an attachment (id=454964) --> (http://bugzilla.novell.com/attachment.cgi?id=454964) Log as requested Jiri, I created a Vanilla Installation and Vanilla Apparmour. The log file I attached corresponds to the pictures in the order they were taken on the particular subject. You should be able to match image with log file is ALL instances. Hope this helps. This type of coding should never have got out of University let alone into a World Wide Production System - QA should be hanged and the tester that certified the code to be put online should also hang! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c25 --- Comment #25 from Jiri Srain 2011-10-07 10:35:57 UTC --- Scott, is there the screenshot as attached to Comment #11 covered by the log? It seems to me it is not; having it covered would help me detect this situation properly and enhance the usability of this dialog... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c27 --- Comment #27 from Scott Couston 2011-10-08 09:19:52 UTC --- Jiri, O.T I really don't normally like testing opensuse beta software. In a commercial sense our opensuse beta release is alpha and release is beta. In this occasion I will load a non production test PC that I have with 12.1. At some time in the future I think all users need to vote on our product life-cycle and question the date driven times which dictate release of a new version. I think we waste far too many man hours just tooling up for release when these could be spent on quality. I think it would be better to have Service Pack Releases. Now on topic we have no facility that forms the delivery method of all Yast apps that have any type of notification. We can set up Apparmour notifications even though the email address field will accept anything and I mean anything...Its is a screen shot example I have given you In fact every screen shot I have given you shows the horrendous errors in almost of of Apparmour and sometime I think it best to remove the whole Apparmour code until it both works and its horrendous errors are corrected! - I know that's not going to happen. On the topic of notifications we see in the installation option 'receive system mail - (to the user) ' this can only be received if we set up system mail. The same goes for apparmour, if it indeed does anything at all in its notifications - I think it time to abandon system mail use, leave the functionality but offer contemporary SMTP/POP/SSL. We could have a notifications heading in Yast for which all notification of ANY apps that has notification fields, like apparmour would use as the global default. I think we must provide contemporary email handling well away from system email config that almost no one knows/or ever configures in their email client. As far as log files - OMG! I think we have to more to the syslog conventions of priority and its liberal message format; disposal to an IP on UDP514 (default), where the can be monitored in realtime. Yes I know its a very small addition to the syslog-ng fconfig file. Keep the log files and log-rotate by all means, but again offer a default notifications list of IP's the default of UDP514 etc but put the log entries into Industry standards! This too could set nicely in the same notifications subset in Yast as well as SMTP/SSL disposal as in the above. I am not going to waist time writing up a feature request for Yast, this could be far easily driven and done inhouse. I'll play with 12.1 for you mate Scott - Sorry for the Epistle:-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c29 --- Comment #29 from Scott Couston 2011-10-10 22:35:24 UTC --- Sorry Christian, Comment #27 is very much for you as well It would also be advantageous for you to view all the JPG attachments title of "complete collection of apparmour image bugs" To be perfectly honest, after you view the JPG images, I dont believe Apparmour does anything at all - I hope Global Yast notification addition and Syslog Standards in C#27 has a great deal of merit but like all changes to Yast they must be driven internally and this burden I leave with you and Jiri I cannot stress the importance of viewing all JPG images titled 'complete collection of apparmour image bugs' -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c31 --- Comment #31 from Christian Boltz 2011-10-11 21:04:48 CEST --- (In reply to comment #29)

Sorry Christian, Comment #27 is very much for you as well It would also be advantageous for you to view all the JPG attachments

I have viewed all the JPGs, and, big surprise, they don't look cryptic to me ;-) because I know enough about AppArmor. That doesn't make the YaST modules really good and easy to use, but explains the problem - people who know AppArmor will also understand the YaST modules (which are basically a clickable GUI for the aa-* commandline tools).

I dont believe Apparmour does anything at all -

Trust me - it does ;-)

I cannot stress the importance of viewing all JPG images titled 'complete collection of apparmour image bugs'

As I said: basically YaST makes the aa-* commandline tools clickable. For people who know AppArmor, that's perfectly fine (I prefer the commandline tools, but that's OT here). For people who don't know anything about AppArmor, the YaST dialogs are as understandable (or not) as the aa-* tools on the commandline. The easiest bugfix would be to recommend to RTFM ;-) (there's a nice chapter about AppArmor in the openSUSE security guide) but I know that users don't like to read the fine manual ;-) even if it would be a very good idea when it comes to security-relevant topics like AppArmor. That said, I agree with Jiri's proposal: name the top 3 issues that should be fixed step by step, and if possible, describe how to make them better. (And please don't read the manual before doing that - you would no longer be a "real user" ;-)) Oh, and BTW: (In reply to comment #27)

[...] this could be far easily driven and done inhouse.

Inhouse? Do you see any @suse.com or @novell.com in my mail address? ;-) I'm "only" a community member who cares about the apparmor package since some months (and about the profiles since a longer time). The reason is fairly simple: I need AppArmor on my servers. Not more, not less ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c33 --- Comment #33 from Christian Boltz 2011-10-12 00:25:15 CEST --- (In reply to comment #32)

Christian - I never underestimate the good other members do - I cannot comment directly in this form of the different undertone that Yast has. Saying Trust me it works is about as logical as 'Trust me I'm a doctor...(giggles)

As for Yast Apparmour working --- The whole notification Module does nothing....

And that's why 12.1 will not contain the notification module ;-) (see comment #24 for the details). My statement was meant for the things that are available in 12.1, and I'm quite sure they work. And at least my statement was more correct than your "I dont believe Apparmour does anything at all" *g,d&r* BTW: It's "AppArmor", not "AppArmo_u_r" - but your version sounds lovely *SCNR* That said: Let's avoid over-general statements (like "$program is bug-free") - they'll never be 100% correct ;-) Instead, let's get the work done to make openSUSE better!

using the email field to enter Jiri@#######.overworked.com was the perfect example of a field that will ^^^^^^^^^^^^^^ Yes, that's really a perfect example ;-))

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c35 --- Comment #35 from Scott Couston 2011-11-03 21:57:32 UTC --- Sorry Jiri for the Critical but from a user concept there is no proof it works at all. I cannot understand why you wound say Christian that there's nothing wrong in the images. Every single image shows that fields are not validated, infact you can enter anything at all and even use non-asci characters. There is no facility to provide SMTP services for 'email notifications' - The premise that the notification fields reply on system email is not valid. The selection of a severity notification does not hold as modified after setting and reopening the module. Without the ability to provide notifications, having modification made and saved, provide no facility to send out the alerts - Tells me that the Yast Module on Apparmour does nothing and is broken to say the least. Every image shows an error in the GUI that just does not work, or does nothing, or is 'UNUSABLE' - Put you user cap on and stop being a teck...Thats what we all do - we want to make the whole product usable..but then.... I remind myself that NO modification is ever made to Yast as a result of a user issue..I would suggest you not try to convince me otherwise as it would cause your mail server to fal over with all the new message repeats :-0 Yes I understand that all of Yast is a front end to command lines - Microsoft had a product that was totally dependant on command lines once - It died as the premise that every user is also a I.T teck of some sort did not work out too well. Personally I would love nothing more than command line inputs, but without a GUI interface that is usable and works...we will eventually go the way of DOS. The whole reason for the existence of a GUI is that it makes the whole product usable - Personally I dont mind if its there or not, but the rest of the planet certainly does. Until we test every GUI application, front end etc. before RC, our product is doomed for a very very slender part of the world market -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c37 --- Comment #37 from Scott Couston 2011-11-20 14:51:06 UTC --- My Apologies for the delay – I had a few weeks holiday. With respect to my 'strien' language OOOps...Yes I now understand the bad inference with my spelling AppArmor...Its not easy switching between English US to UK to AU depending on who you are talking to. There is nothing really cryptic about the images and the naming convention of the images. Putting a user GUI hat on we want that user to understand the directory nature of where all applications are stored so the browse button does NOT prepare a user to find application to protect easily. If fact is very hard for a user to fund the files which launch all application if they want to build a propile to protect that application. Likewise we are assuming the user understands the report writer in Yast and what all the library files contain and do...Its not happening for a user in this respect. When I say that AppArmor does not do anything and does not work this is based on the user concept of: If you cannot produce a report that can be understood – It does not work If you cannot set priorities and severities that remain selected once modified, It does not work If you cannot provide email notification on anything – It does not work... For something to work the UI needs to be credible...Its not!The UI also needs to be friendly in the browse box – Its not The UI needs to be able to product a readable report on demand – Its not. The UI needs to be able to notify a user. It can't Just about all fields of the 'Control Panel' are not validated or cannot hold a modification – Therefore – It does not work … The whole setup and flow of the UI is stupid...Select the 'Control Panel' and it opens Configuration I think you get the idea........It may work beautifully as a console input/output so why do we bother to try to create a GUI that 'does not work -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c39 Scott Couston changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | --- Comment #39 from Scott Couston 2011-12-01 20:18:40 UTC --- Jiri at the very least could you please unpack the image files. Viewing them without seeing the file name does not tell you anything about the fault that is in the image file. You can close as wontfix again if you want, but I would ask you to please unpack the image files so you can see that there’s nothing cryptic! The long name of the im,age file is descriptive of the error/bug in the image...Thanks - You know me a little better than writing up lengthy descriptive bug without due concern - Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c40 Jiri Srain changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|jsrain@suse.com | Resolution| |WONTFIX --- Comment #40 from Jiri Srain 2011-12-02 12:03:48 UTC --- Scott, I of course unpacked the archive and checked the images - not all, just few random ones. profile-wizard-1 does not say what is wrong with it. And, additionally, as I said: Because I help with AppArmor module more or less in my spare time, it is hard to track multiple bugs in one report. That's why I asked for one bugreport per bug - and, in order to spend the time as usefully as possible, pick just few which are most important for you for the beginning. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=531512 https://bugzilla.novell.com/show_bug.cgi?id=531512#c Scott Couston changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|717152 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.