Author: kmachalkova Date: Mon Mar 16 17:44:35 2009 New Revision: 56164 URL: http://svn.opensuse.org/viewcvs/yast?rev=56164&view=rev Log: "One of these days I'm going to cut you into little pieces" Pink Floyd - Meddle & bnc#384170 Added: trunk/apparmor/src/include/subdomain/helps.ycp (contents, props changed) - copied, changed from r55996, trunk/apparmor/src/include/subdomain/event_notification_helptext.ycp trunk/apparmor/src/include/subdomain/report_helptext.ycp Removed: trunk/apparmor/src/include/subdomain/event_notification_helptext.ycp Modified: trunk/apparmor/src/clients/GenProf.ycp trunk/apparmor/src/clients/LogProf.ycp trunk/apparmor/src/include/subdomain/Makefile.am trunk/apparmor/src/include/subdomain/apparmor_profile_check.ycp trunk/apparmor/src/include/subdomain/capabilities.ycp trunk/apparmor/src/include/subdomain/profile_dialogs.ycp trunk/apparmor/src/include/subdomain/sd-config.ycp Modified: trunk/apparmor/src/clients/GenProf.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/apparmor/src/clients/GenProf.ycp?rev=56164&r1=56163&r2=56164&view=diff ============================================================================== --- trunk/apparmor/src/clients/GenProf.ycp (original) +++ trunk/apparmor/src/clients/GenProf.ycp Mon Mar 16 17:44:35 2009 @@ -15,6 +15,7 @@ include "subdomain/apparmor_profile_check.ycp"; include "subdomain/apparmor_packages.ycp"; include "subdomain/apparmor_ycp_utils.ycp"; + include "subdomain/helps.ycp"; textdomain "yast2-apparmor"; boolean done = false; @@ -72,142 +73,7 @@ string command = "CMD_ABORT"; string title = agent_data["title"]:_("AppArmor Profile Wizard"); - string helptext = agent_data["helptext"]:_(" <b>AppArmor Profiling Wizard</b><br> - This wizard presents entries generated by the AppArmor access control module. You can generate highly optimized and robust security profiles by using the suggestions made by AppArmor. AppArmor suggests that you allow or deny access to specific resources or define execute permission for entries. These questions that display were logged during the normal application execution test previously performed. <br> - The following help text describes the detail of the security profile syntax used by AppArmor. <br><br>At any stage, you may customize the profile entry by changing the suggested response. This overview will assist you in your options. Refer to the Novell AppArmor Administration Guide for step-by-step instructions. <br><br> - <b>Access Modes</b><br> - - File permission access modes consists of combinations of - the following six modes: - -<ul> <li>r - read</li> - <li>w - write</li> - <li>m - mmap PROT_EXEC</li> - <li>px - discrete profile execute</li> - <li>ux - unconfined execute</li> - <li>ix - inherit execute</li> - <li>l - link</li> -</ul> -<p> - <br> <b>Details for Access Modes</b> -<br><br> - <b>Read mode</b><br> - Allows the program to have read access to the - resource. Read access is required for shell scripts - and other interpreted content, and determines if an - executing process can core dump or be attached to with - ptrace(2). (ptrace(2) is used by utilities such as - strace(1), ltrace(1), and gdb(1).) - <br> - <br> - <b>Write mode</b><br> - Allows the program to have write access to the - resource. Files must have this permission if they are - to be unlinked (removed.) - <br> - <br> - <b>Mmap PROT_EXEC mode</b><br> - Allows the program to call mmap with PROT_EXEC on the - resource. - <br> - <br> - - - <b>Unconfined execute mode</b><br> - - Allows the program to execute the resource without any - AppArmor profile being applied to the executed - resource. Requires listing execute mode as well. - Incompatible with Inherit and Discrete Profile execute - entries. - <br><br> - - This mode is useful when a confined program needs to - be able to perform a privileged operation, such as - rebooting the machine. By placing the privileged section - in another executable and granting unconfined - execution rights, it is possible to bypass the mandatory - constraints imposed on all confined processes. - For more information on what is constrained, see the - subdomain(7) man page. -<br><br> <b>Discrete Profile execute mode</b><br> - This mode requires that a discrete security profile is - defined for a resource executed at a AppArmor domain - transition. If there is no profile defined then the - access will be denied. Incompatible with Inherit and - Unconstrained execute entries. - <br> - <br> - <b>Link mode</b><br> - Allows the program to be able to create and remove a - link with this name (including symlinks). When a link - is created, the file that is being linked to MUST have - the same access permissions as the link being created - (with the exception that the destination does not have - to have link access.) Link access is required for - unlinking a file. - <br> - <br> - <b>Globbing</b> - <br> - <br> - File resources may be specified with a globbing syntax - similar to that used by popular shells, such as csh(1), - bash(1), zsh(1). - <br> - - <ul> - <li><b>*</b> can substitute for any number of characters, excepting - '/'<li> - - <li><b>**</b> can substitute for any number of characters, including '/'</li> - - - <li><b>?</b> can substitute for any single character excepting '/'</li> - - <li><b>[abc]</b> will substitute for the single character a, b, or c</li> - - <li><b>[a-c]</b> will substitute for the single character a, b, or c</li> - - <li><b>{ab,cd}</b> will expand to one rule to match ab, one rule to match - cd</li>\n - </ul> - - <br> - <br> - <b>Clean Exec - for sanitized execution</b> - <br> - <br> - The Clean Exec option for the discrete profile and unconstrained - execute permissions provide added security by stripping the - environment that is inherited by the child program of specific - variables. You will be prompted to choose whether you want to sanitize the - enviroment if you choose 'p' or 'u' during the profiling process. - The variables are: - <ul> - <li>GCONV_PATH</li> - <li>GETCONF_DIR</li> - <li>HOSTALIASES</li> - <li>LD_AUDIT</li> - <li>LD_DEBUG</li> - <li>LD_DEBUG_OUTPUT</li> - <li>LD_DYNAMIC_WEAK</li> - <li>LD_LIBRARY_PATH</li> - <li>LD_ORIGIN_PATH</li> - <li>LD_PRELOAD</li> - <li>LD_PROFILE</li> - <li>LD_SHOW_AUXV</li> - <li>LD_USE_LOAD_BIAS</li> - <li>LOCALDOMAIN</li> - <li>LOCPATH</li> - <li>MALLOC_TRACE</li> - <li>NLSPATH</li> - <li>RESOLV_HOST_CONF</li> - <li>RES_OPTION</li> - <li>TMPDIR</li> - <li>TZDIR</li> </ul> -"); - + string helptext = agent_data["helptext"]: helps["profileWizard"]:""; list<string> headers = agent_data["headers"]:[]; list<string> options = agent_data["options"]:[]; list<string> functions = agent_data["functions"]:["CMD_ABORT"]; Modified: trunk/apparmor/src/clients/LogProf.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/apparmor/src/clients/LogProf.ycp?rev=56164&r1=56163&r2=56164&view=diff ============================================================================== --- trunk/apparmor/src/clients/LogProf.ycp (original) +++ trunk/apparmor/src/clients/LogProf.ycp Mon Mar 16 17:44:35 2009 @@ -15,6 +15,7 @@ include "subdomain/apparmor_packages.ycp"; include "subdomain/apparmor_profile_check.ycp"; include "subdomain/apparmor_ycp_utils.ycp"; + include "subdomain/helps.ycp"; textdomain "yast2-apparmor"; boolean done = false; @@ -72,140 +73,7 @@ string command = "CMD_ABORT"; string title = agent_data["title"]:_("AppArmor Profile Wizard"); - string helptext = agent_data["helptext"]:_(" <b>AppArmor Profiling Wizard</b><br> - This wizard presents entries generated by the AppArmor access control module. You can generate highly optimized and robust security profiles by using the suggestions made by AppArmor. AppArmor suggests that you allow or deny access to specific resources or define execute permission for entries. These questions that display were logged during the normal application execution test previously performed. <br> - The following help text describes the detail of the security profile syntax used by AppArmor. <br><br>At any stage, you may customize the profile entry by overriding the suggestion. This overview will assist you in your options. Refer to the Novell AppArmor Administration Guide for step-by-step instructions.<br><br> - - <b>Access Modes</b><br> - - File permission access modes consists of combinations of - the following six modes: - -<ul> <li>r - read</li> - <li>w - write</li> - <li>m - mmap PROT_EXEC</li> - <li>px - discrete profile execute</li> - <li>ux - unconfined execute</li> - <li>ix - inherit execute</li> - <li>l - link</li> -</ul> -<p><br> - <b>Details for Access Modes</b> -<br><br> - <b>Read mode</b><br> - Allows the program to have read access to the - resource. Read access is required for shell scripts - and other interpreted content, and determines if an - executing process can core dump or be attached to with - ptrace(2). (ptrace(2) is used by utilities such as - strace(1), ltrace(1), and gdb(1).) - <br> - <br> - <b>Write mode</b><br> - Allows the program to have write access to the - resource. Files must have this permission if they are - to be unlinked (removed.) - <br> - <br> - <b>Mmap PROT_EXEC mode</b><br> - Allows the program to call mmap with PROT_EXEC on the - resource. - <br> - <br> - - - <b>Unconfined execute mode</b><br> - - Allows the program to execute the resource without any - AppArmor profile being applied to the executed - resource. Requires listing execute mode as well. - Incompatible with Inherit and Discrete Profile execute - entries. - <br><br> - - This mode is useful when a confined program needs to - be able to perform a privileged operation, such as - rebooting the machine. By placing the privileged section - in another executable and granting unconfined execution rights, - it is possible to bypass the mandatory - constraints imposed on all confined processes. - For more information on what is constrained, see the - subdomain(7) man page. -<br><br> <b>Discrete Profile execute mode</b><br> - This mode requires that a discrete security profile is - defined for a resource executed at a AppArmor domain - transition. If there is no profile defined then the - access will be denied. Incompatible with Inherit and - Unconstrained execute entries. - <br> - <br> - <b>Link mode</b><br> - Allows the program to be able to create and remove a - link with this name (including symlinks). When a link - is created, the file that is being linked to MUST have - the same access permissions as the link being created - (with the exception that the destination does not have - to have link access.) Link access is required for - unlinking a file. - <br> - <br> - <b>Globbing</b> - <br> - <br> - File resources may be specified with a globbing syntax - similar to that used by popular shells, such as csh(1), - bash(1), zsh(1). - <br> - - <ul> - <li><b>*</b> can substitute for any number of characters, excepting - '/'<li> - - <li><b>**</b> can substitute for any number of characters, including '/'</li> - - - <li><b>?</b> can substitute for any single character excepting '/'</li> - <li><b>[abc]</b> will substitute for the single character a, b, or c</li> - <li><b>[a-c]</b> will substitute for the single character a, b, or c</li> - <li><b>{ab,cd}</b> will expand to one rule to match ab, one rule to match cd</li>\n - </ul> - - <br> - <br> - <b>Clean Exec - for sanitized execution</b> - <br> - <br> - The Clean Exec option for the discrete profile and unconstrained - execute permissions provide added security by stripping the - enviroment that is inherited by the child program of specific - variables. You will be prompted to choose whether you want to sanitize the - environment if you choose 'p' or 'u' during the profiling process. - The variables are: - <ul> - <li>GCONV_PATH</li> - <li>GETCONF_DIR</li> - <li>HOSTALIASES</li> - <li>LD_AUDIT</li> - <li>LD_DEBUG</li> - <li>LD_DEBUG_OUTPUT</li> - <li>LD_DYNAMIC_WEAK</li> - <li>LD_LIBRARY_PATH</li> - <li>LD_ORIGIN_PATH</li> - <li>LD_PRELOAD</li> - <li>LD_PROFILE</li> - <li>LD_SHOW_AUXV</li> - <li>LD_USE_LOAD_BIAS</li> - <li>LOCALDOMAIN</li> - <li>LOCPATH</li> - <li>MALLOC_TRACE</li> - <li>NLSPATH</li> - <li>RESOLV_HOST_CONF</li> - <li>RES_OPTION</li> - <li>TMPDIR</li> - <li>TZDIR</li> </ul> - -"); - + string helptext = agent_data["helptext"]:helps["profileWizard"]:""; list<string> headers = agent_data["headers"]:[]; list<string> options = agent_data["options"]:[]; list<string> functions = agent_data["functions"]:["CMD_ABORT"]; Modified: trunk/apparmor/src/include/subdomain/Makefile.am URL: http://svn.opensuse.org/viewcvs/yast/trunk/apparmor/src/include/subdomain/Makefile.am?rev=56164&r1=56163&r2=56164&view=diff ============================================================================== --- trunk/apparmor/src/include/subdomain/Makefile.am (original) +++ trunk/apparmor/src/include/subdomain/Makefile.am Mon Mar 16 17:44:35 2009 @@ -6,7 +6,7 @@ apparmor_ycp_utils.ycp \ capabilities.ycp \ config_complain.ycp \ - event_notification_helptext.ycp \ + helps.ycp \ profile_dialogs.ycp \ report_helptext.ycp \ reporting_archived_dialogs.ycp \ Modified: trunk/apparmor/src/include/subdomain/apparmor_profile_check.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/apparmor/src/include/subdomain/apparmor_profile_check.ycp?rev=56164&r1=56163&r2=56164&view=diff ============================================================================== --- trunk/apparmor/src/include/subdomain/apparmor_profile_check.ycp (original) +++ trunk/apparmor/src/include/subdomain/apparmor_profile_check.ycp Mon Mar 16 17:44:35 2009 @@ -34,18 +34,18 @@ if ( syntax_ok == false ) { string headline = _("Errors found in AppArmor profiles"); errmsg = _("<p>These problems must be corrected before AppArmor can be \ - started or the profile management tools can be used.</p> ") +started or the profile management tools can be used.</p> ") + "<p>" + errmsg + "</p>" + _("<p>You can find a description of AppArmor profile syntax by \ - running ") +running ") + "<code>man apparmor.d</code></p>" + _("<p>Comprehensive documentation about AppArmor is available in \ - the Administration guide. This is available in the \ - directory: ") +the Administration guide. This is available in the \ +directory: ") + "</p>" + "<code>/usr/share/doc/manual/suselinux-manual_LANGUAGE</code>. " + _("<p>Please refer to this for more detailed information about \ - AppArmor</p>"); +AppArmor</p>"); Popup::LongText( headline, `RichText(errmsg), 55, 15); } return( syntax_ok ); Modified: trunk/apparmor/src/include/subdomain/capabilities.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/apparmor/src/include/subdomain/capabilities.ycp?rev=56164&r1=56163&r2=56164&view=diff ============================================================================== --- trunk/apparmor/src/include/subdomain/capabilities.ycp (original) +++ trunk/apparmor/src/include/subdomain/capabilities.ycp Mon Mar 16 17:44:35 2009 @@ -18,55 +18,71 @@ "chown" : $[ "name" : "CAP_CHOWN", - "info" : _("<ul><li>In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this overrides the restriction of changing file ownership and group ownership.</li></ul>"), + "info" : _("<ul><li>In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, +this overrides the restriction of changing file ownership +and group ownership.</li></ul>"), ], "dac_override" : $[ "name" : "CAP_DAC_OVERRIDE", - "info" : _("<ul><li>Override all DAC access, including ACL execute access if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.</li></ul>"), + "info" : _("<ul><li>Override all DAC access, including ACL execute access if +[_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.</li></ul>"), ], "dac_read_search" : $[ "name" : "CAP_DAC_READ_SEARCH", - "info" : _("<ul><li>Overrides all DAC restrictions regarding read and search on files and directories, including ACL restrictions if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. </li></ul>"), + "info" : _("<ul><li>Overrides all DAC restrictions regarding read and search +on files and directories, including ACL restrictions if [_POSIX_ACL] is defined. +Excluding DAC access covered by CAP_LINUX_IMMUTABLE. </li></ul>"), ], "fowner" : $[ "name" : "CAP_FOWNER", - "info" : _("<ul><li>Overrides all restrictions about allowed operations on files, where file owner ID must be equal to the user ID, except where CAP_FSETID is applicable. It doesn't override MAC and DAC restrictions. </li></ul>"), + "info" : _("<ul><li>Overrides all restrictions about allowed operations on files, +where file owner ID must be equal to the user ID, except where CAP_FSETID is +applicable. It doesn't override MAC and DAC restrictions. </li></ul>"), ], "fsetid" : $[ "name" : "CAP_FSETID", - "info" : _("<ul><li>Overrides the following restrictions that the effective user ID shall match the file owner ID when setting the S_ISUID and S_ISGID bits on that file; that the effective group ID (or one of the supplementary group IDs) shall match the file owner ID when setting the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are cleared on successful return from chown(2) (not implemented). </li></ul>"), + "info" : _("<ul><li>Overrides the following restrictions that the effective user +ID shall match the file owner ID when setting the S_ISUID and S_ISGID bits on that +file; that the effective group ID (or one of the supplementary group IDs) shall match +the file owner ID when setting the S_ISGID bit on that file; that the S_ISUID and +S_ISGID bits are cleared on successful return from chown(2) (not implemented). </li></ul>"), ], "kill" : $[ "name" : "CAP_KILL", - "info" : _("<ul><li>Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.</li></ul>"), + "info" : _("<ul><li>Overrides the restriction that the real or effective user ID +of a process sending a signal must match the real or effective user ID of the process +receiving the signal.</li></ul>"), ], "setgid" : $[ "name" : "CAP_SETGID", - "info" : _("<ul><li>Allows setgid(2) manipulation </li> <li> Allows setgroups(2) </li> <li> Allows forged gids on socket credentials passing. </li></ul>"), + "info" : _("<ul><li>Allows setgid(2) manipulation </li> <li> Allows setgroups(2) </li> +<li> Allows forged gids on socket credentials passing. </li></ul>"), ], "setuid" : $[ "name" : "CAP_SETUID", - "info" : _("<ul><li>Allows setuid(2) manipulation (including fsuid) </li> <li> Allows forged pids on socket credentials passing. </li></ul>"), + "info" : _("<ul><li>Allows setuid(2) manipulation (including fsuid) </li> +<li> Allows forged pids on socket credentials passing. </li></ul>"), ], "setpcap" : $[ "name" : "CAP_SETPCAP", - "info" : _("<ul><li> Transfer any capability in your permitted set to any pid, remove any capability in your permitted set from any pid</li></ul>"), + "info" : _("<ul><li> Transfer any capability in your permitted set to any pid, +remove any capability in your permitted set from any pid</li></ul>"), ], "linux_immutable" : @@ -78,7 +94,8 @@ "net_bind_service" : $[ "name" : "CAP_NET_BIND_SERVICE", - "info" : _("<ul><li>Allows binding to TCP/UDP sockets below 1024 </li> <li> Allows binding to ATM VCIs below 32</li></ul>"), + "info" : _("<ul><li>Allows binding to TCP/UDP sockets below 1024 </li> +<li> Allows binding to ATM VCIs below 32</li></ul>"), ], "net_broadcast" : @@ -90,19 +107,35 @@ "net_admin" : $[ "name" : "CAP_NET_ADMIN", - "info" : _("<ul><li> Allow interface configuration</li> <li> Allow administration of IP firewall, masquerading and accounting</li> <li> Allow setting debug option on sockets</li> <li> Allow modification of routing tables</li> <li> Allow setting arbitrary process / process group ownership on sockets</li> <li> Allow binding to any address for transparent proxying</li> <li> Allow setting TOS (type of service)</li> <li> Allow setting promiscuous mode</li> <li> Allow clearing driver statistics</li> <li> Allow multicasting</li> <li> Allow read/write of device-specific registers</li> <li> Allow activation of ATM control sockets </li></ul>"), + "info" : _("<ul><li> Allow interface configuration</li> +<li> Allow administration of IP firewall, masquerading and accounting</li> +<li> Allow setting debug option on sockets</li> +<li> Allow modification of routing tables</li>") + + +_("<li> Allow setting arbitrary process / process group ownership on sockets</li> +<li> Allow binding to any address for transparent proxying</li> +<li> Allow setting TOS (type of service)</li> +<li> Allow setting promiscuous mode</li> +<li> Allow clearing driver statistics</li>") + + +_("<li> Allow multicasting</li> +<li> Allow read/write of device-specific registers</li> +<li> Allow activation of ATM control sockets </li> +</ul>"), ], "net_raw" : $[ "name" : "CAP_NET_RAW", - "info" : _("<ul><li> Allow use of RAW sockets</li> <li> Allow use of PACKET sockets </li></ul>"), + "info" : _("<ul><li> Allow use of RAW sockets</li> +<li> Allow use of PACKET sockets </li></ul>"), ], "ipc_lock" : $[ "name" : "CAP_IPC_LOCK", - "info" : _("<ul><li> Allow locking of shared memory segments</li> <li> Allow mlock and mlockall (which doesn't really have anything to do with IPC) </li></ul>"), + "info" : _("<ul><li> Allow locking of shared memory segments</li> +<li> Allow mlock and mlockall (which doesn't really have anything to do with IPC) </li></ul>"), ], "ipc_owner" : @@ -114,13 +147,15 @@ "sys_module" : $[ "name" : "CAP_SYS_MODULE", - "info" : _("<ul><li> Insert and remove kernel modules - modify kernel without limit</li> <li> Modify cap_bset </li></ul>"), + "info" : _("<ul><li> Insert and remove kernel modules - modify kernel without limit</li> +<li> Modify cap_bset </li></ul>"), ], "sys_rawio" : $[ "name" : "CAP_SYS_RAWIO", - "info" : _("<ul><li> Allow ioperm/iopl access</li> <li> Allow sending USB messages to any device via /proc/bus/usb </li></ul>"), + "info" : _("<ul><li> Allow ioperm/iopl access</li> +<li> Allow sending USB messages to any device via /proc/bus/usb </li></ul>"), ], "sys_chroot" : @@ -144,7 +179,47 @@ "sys_admin" : $[ "name" : "CAP_SYS_ADMIN", - "info" : _("<ul><li> Allow configuration of the secure attention key</li> <li> Allow administration of the random device</li> <li> Allow examination and configuration of disk quotas</li> <li> Allow configuring the kernel's syslog (printk behaviour)</li> <li> Allow setting the domain name</li> <li> Allow setting the hostname</li> <li> Allow calling bdflush()</li> <li> Allow mount() and umount(), setting up new smb connection</li> <li> Allow some autofs root ioctls</li> <li> Allow nfsservctl</li> <li> Allow VM86_REQUEST_IRQ</li> <li> Allow to read/write pci config on alpha</li> <li> Allow irix_prctl on mips (setstacksize)</li> <li> Allow flushing all cache on m68k (sys_cacheflush)</li> <li> Allow removing semaphores</li> <li> Used instead of CAP_CHOWN to \"chown\" IPC message queues, semaphores and shared memory</li> <li> Allow locking/unlocking of shared memory segment</li> <li> Allow turning swap on/off</li> <li> Allow forged pids on socket credentials passing</li> <li> Allow setting read ahead and flushing buffers on block devices</li> <li> Allow setting geometry in floppy driver</li> <li> Allow turning DMA on/off in xd driver</li> <li> Allow administration of md devices (mostly the above, but some extra ioctls)</li> <li> Allow tuning the ide driver</li> <li> Allow access to the nvram device</li> <li> Allow administration of apm_bios, serial and bttv (TV) device</li> <li> Allow manufacturer commands in isdn CAPI support driver</li> <li> Allow reading non-standardized portions of pci configuration space</li> <li> Allow DDI debug ioctl on sbpcd driver</li> <li> Allow setting up serial ports</li> <li> Allow sending raw qic-117 commands</li> <li> Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands</li> <li> Allow setting encryption key on loopback filesystem </li></ul>"), + "info" : _("<ul><li> Allow configuration of the secure attention key</li> +<li> Allow administration of the random device</li> +<li> Allow examination and configuration of disk quotas</li> +<li> Allow configuring the kernel's syslog (printk behaviour)</li>") + + +_("<li> Allow setting the domain name</li> +<li> Allow setting the hostname</li> +<li> Allow calling bdflush()</li> +<li> Allow mount() and umount(), setting up new smb connection</li> +<li> Allow some autofs root ioctls</li>") + + +_("<li> Allow nfsservctl</li> +<li> Allow VM86_REQUEST_IRQ</li> +<li> Allow to read/write pci config on alpha</li> +<li> Allow irix_prctl on mips (setstacksize)</li> +<li> Allow flushing all cache on m68k (sys_cacheflush)</li>") + + +_("<li> Allow removing semaphores</li> +<li> Used instead of CAP_CHOWN to \"chown\" IPC message queues, semaphores and shared memory</li> +<li> Allow locking/unlocking of shared memory segment</li> +<li> Allow turning swap on/off</li> +<li> Allow forged pids on socket credentials passing</li>") + + +_("<li> Allow setting read ahead and flushing buffers on block devices</li> +<li> Allow setting geometry in floppy driver</li> +<li> Allow turning DMA on/off in xd driver</li> +<li> Allow administration of md devices (mostly the above, but some extra ioctls)</li>") + + +_("<li> Allow tuning the ide driver</li> +<li> Allow access to the nvram device</li> +<li> Allow administration of apm_bios, serial and bttv (TV) device</li> +<li> Allow manufacturer commands in isdn CAPI support driver</li>") + + +_("<li> Allow reading non-standardized portions of pci configuration space</li> +<li> Allow DDI debug ioctl on sbpcd driver</li> +<li> Allow setting up serial ports</li> +<li> Allow sending raw qic-117 commands</li>") + + +_("<li> Allow enabling/disabling tagged queuing on SCSI controllers + and sending arbitrary SCSI commands</li> +<li> Allow setting encryption key on loopback filesystem </li></ul>"), ], "sys_boot" : @@ -156,22 +231,37 @@ "sys_nice" : $[ "name" : "CAP_SYS_NICE", - "info" : _("<ul><li> Allow raising priority and setting priority on other (different UID) processes</li> <li> Allow use of FIFO and round-robin (realtime) scheduling on own processes and setting the scheduling algorithm used by another process.</li> <li> Allow setting cpu affinity on other processes </li></ul>"), + "info" : _("<ul><li> Allow raising priority and setting priority on other (different UID) processes</li> +<li> Allow use of FIFO and round-robin (realtime) scheduling on own processes and setting +the scheduling algorithm used by another process.</li> +<li> Allow setting cpu affinity on other processes </li></ul>"), ], "sys_resource" : $[ "name" : "CAP_SYS_RESOURCE", - "info" : _("<ul><li> Override resource limits. Set resource limits.</li> <li> Override quota limits.</li> <li> Override reserved space on ext2 filesystem</li> <li> Modify data journaling mode on ext3 filesystem (uses journaling resources)</li> <li> NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too</li> <li> Override size restrictions on IPC message queues</li> <li> Allow more than 64hz interrupts from the real-time clock</li> <li> Override max number of consoles on console allocation</li> <li> Override max number of keymaps </li></ul>"), + "info" : _("<ul><li> Override resource limits. Set resource limits.</li> +<li> Override quota limits.</li> +<li> Override reserved space on ext2 filesystem</li> +<li> Modify data journaling mode on ext3 filesystem (uses journaling resources)</li>") + + +_("<li> NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too</li> +<li> Override size restrictions on IPC message queues</li> +<li> Allow more than 64hz interrupts from the real-time clock</li> +<li> Override max number of consoles on console allocation</li> +<li> Override max number of keymaps </li></ul>"), ], "sys_time" : $[ "name" : "CAP_SYS_TIME", - "info" : _("<ul><li> Allow manipulation of system clock</li> <li> Allow irix_stime on mips</li> <li> Allow setting the real-time clock </li></ul>"), + "info" : _("<ul><li> Allow manipulation of system clock</li> +<li> Allow irix_stime on mips</li> +<li> Allow setting the real-time clock </li></ul>"), ], "sys_tty_config" : $[ "name" : "CAP_SYS_TTY_CONFIG", - "info" : _("<ul><li> Allow configuration of tty devices</li> <li> Allow vhangup() of tty </li></ul>"), + "info" : _("<ul><li> Allow configuration of tty devices</li> +<li> Allow vhangup() of tty </li></ul>"), ], "mknod" : $[ Copied: trunk/apparmor/src/include/subdomain/helps.ycp (from r55996, trunk/apparmor/src/include/subdomain/event_notification_helptext.ycp) URL: http://svn.opensuse.org/viewcvs/yast/trunk/apparmor/src/include/subdomain/helps.ycp?p2=trunk/apparmor/src/include/subdomain/helps.ycp&p1=trunk/apparmor/src/include/subdomain/event_notification_helptext.ycp&r1=55996&r2=56164&rev=56164&view=diff ============================================================================== --- trunk/apparmor/src/include/subdomain/event_notification_helptext.ycp (original) +++ trunk/apparmor/src/include/subdomain/helps.ycp Mon Mar 16 17:44:35 2009 @@ -14,6 +14,202 @@ /* START Help Section ************************************************************/ -string EventNotifyHelpText = _("The Security Event Notification screen enables you to setup email alerts for security events. In the following steps, specify how often alerts are sent, who receives the alert, and how severe the security event must be to send an alert. <br><br><b>Notification Types</b><br> <b>Terse Notification:</b> Terse notification summarizes the total number of system events without providing details. <br>For example:<br> dhcp-101.up.wirex.com has had 10 security events since Tue Oct 12 11:10:00 2004<br><br> <b>Summary Notification:</b> The Summary notification displays the logged AppArmor security events, and lists the number of individual occurrences, including the date of the last occurrence. <br>For example:<br> SubDomain: PERMITTING access to capability 'setgid' (httpd2-prefork(6347) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork) 2 times, the latest at Sat Oct 9 16:05:54 2004.<br><br> <b>Verbose Notification:</b> The Verbose notification displays unmodified, logged AppArmor security events. It tells you every time an event occurs and writes a new line in the Verbose log. These security events include the date and time the event occurred, when the application profile permits access as well as rejects access, and the type of file permission access that is permitted or rejected. Verbose Notification also reports several messages that the logprof tool uses to interpret profiles. <br>For example:<br> Oct 9 15:40:31 SubDomain: PERMITTING r access to /etc/apache2/httpd.conf (httpd2-prefork(6068) profile /usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork) helps = $[ + "EventNotifyHelpText" : + _("<p>The Security Event Notification screen enables you to setup email +alerts for security events. In the following steps, specify how often +alerts are sent, who receives the alert, and how severe the security +event must be to send an alert.</p>") + + _("<p><b>Notification Types</b><br> <b>Terse Notification:</b> +Terse notification summarizes the total number of system events without +providing details. <br>For example:<br> <tt>dhcp-101.up.wirex.com has +had 10 security events since Tue Oct 12 11:10:00 2004</tt></p>") + + + _("<p><b>Summary Notification:</b> The Summary notification displays +the logged AppArmor security events, and lists the number of +individual occurrences, including the date of the last occurrence. +<br>For example:<br> <tt>SubDomain: PERMITTING access to capability +'setgid' (httpd2-prefork(6347) profile /usr/sbin/httpd2-prefork +active /usr/sbin/httpd2-prefork) 2 times, the latest at Sat Oct 9 16:05:54 2004.</tt> +</p>") + + + _("<p><b>Verbose Notification:</b> The Verbose notification displays +unmodified, logged AppArmor security events. It tells you every time +an event occurs and writes a new line in the Verbose log. These +security events include the date and time the event occurred, when +the application profile permits access as well as rejects access, +and the type of file permission access that is permitted or rejected.</p>") + + + _("<p>Verbose Notification also reports several messages that +the logprof tool uses to interpret profiles. <br>For example:<br> +<tt> Oct 9 15:40:31 SubDomain: PERMITTING r access to +/etc/apache2/httpd.conf (httpd2-prefork(6068) profile +/usr/sbin/httpd2-prefork active /usr/sbin/httpd2-prefork)</tt></p>") + + + "<ol>" + _("<li> For each notification type that you would like +enabled, select the frequency of notification that you would +like. For example, if you select <b>1 day</b> from the +pull-down list, you will be sent daily notifications of +security events, if they occur.</li>") + + + _("<li> Enter the email address of those who should receive +the Terse, Summary, or Verbose notifications. </li>") + + + _("<li>Select the lowest <b>severity level</b> for which a notification +should be sent. Security events will be logged and the notifications +will be sent at the time indicated by the interval when events are +equal or greater than the selected severity level. If the interval +is 1 day, the notification will be sent daily, if security events +occur.") + + + _("<b>Severity Levels:</b> These are numbered 1 through 10, +10 being the most severe security incident. The <b>severity.db</b> +file defines the severity level of potential security events. +The severity levels are determined by the importance of +different security events, such as certain resources accessed +or services denied.</li>") + + + _("<li>Select <b>Include unknown security events</b> if +you would like to include events that are not rated with a severity number.</li>") + + "</ol>", +// ---------------------------- + "profileWizard" : + _("<b>AppArmor Profiling Wizard</b><br>") + + _("This wizard presents entries generated by the AppArmor access control module. +You can generate highly optimized and robust security profiles +by using the suggestions made by AppArmor.") + + + _("AppArmor suggests that you allow or deny access to specific resources +or define execute permission for entries. These questions +that display were logged during the normal application +execution test previously performed. <br>") + + + _("The following help text describes the detail of the security profile +syntax used by AppArmor. <br><br>At any stage, you may +customize the profile entry by changing the suggested response. +This overview will assist you in your options. Refer to the +Novell AppArmor Administration Guide for step-by-step +instructions. <br><br>") + + + _("<b>Access Modes</b><br>") + + _("File permission access modes consists of combinations of the following six modes:") + + + "<ul>" + + _("<li>r - read</li>") + + _("<li>w - write</li>") + + _("<li>m - mmap PROT_EXEC</li>") + + _("<li>px - discrete profile execute</li>") + + _("<li>ux - unconfined execute</li>") + + _("<li>ix - inherit execute</li>") + + _("<li>l - link</li>") + "</ul>" + + + _("<b>Details for Access Modes</b>") + + "<br><br>" + + + _("<b>Read mode</b><br>") + + _("Allows the program to have read access to the +resource. Read access is required for shell scripts +and other interpreted content, and determines if an +executing process can core dump or be attached to with +ptrace(2). (ptrace(2) is used by utilities such as +strace(1), ltrace(1), and gdb(1).)") + + "<br><br>" + + + _("<b>Write mode</b><br>") + + _("Allows the program to have write access to the +resource. Files must have this permission if they are +to be unlinked (removed.)") + + "<br><br>" + + + _("<b>Mmap PROT_EXEC mode</b><br>") + + _("Allows the program to call mmap with PROT_EXEC on the +resource.") + + "<br><br>" + + + _("<b>Unconfined execute mode</b><br>") + + _("Allows the program to execute the resource without any +AppArmor profile being applied to the executed +resource. Requires listing execute mode as well. +Incompatible with Inherit and Discrete Profile execute +entries.") + + "<br><br>" + + + _("This mode is useful when a confined program needs to +be able to perform a privileged operation, such as +rebooting the machine. By placing the privileged section +in another executable and granting unconfined +execution rights, it is possible to bypass the mandatory +constraints imposed on all confined processes. +For more information on what is constrained, see the +subdomain(7) man page.") + + "<br><br>" + + + _("<b>Discrete Profile execute mode</b><br>") + + _("This mode requires that a discrete security profile is +defined for a resource executed at a AppArmor domain +transition. If there is no profile defined then the +access will be denied. Incompatible with Inherit and +Unconstrained execute entries.") + + "<br><br>" + + + _("<b>Link mode</b><br>") + + _("Allows the program to be able to create and remove a +link with this name (including symlinks). When a link +is created, the file that is being linked to MUST have +the same access permissions as the link being created +(with the exception that the destination does not have +to have link access.) Link access is required for +unlinking a file.") + + "<br><br>" + + + _("<b>Globbing</b>") + + "<br><br>" + + _("File resources may be specified with a globbing syntax +similar to that used by popular shells, such as csh(1), +bash(1), zsh(1).") + + "<br>" + + + "<ul>" + + _("<li><b>*</b> can substitute for any number of characters, except '/'<li>") + + _("<li><b>**</b> can substitute for any number of characters, including '/'</li>") + + _("<li><b>?</b> can substitute for any single character except '/'</li>") + + _("<li><b>[abc]</b> will substitute for the single character a, b, or c</li>") + + _("<li><b>[a-c]</b> will substitute for the single character a, b, or c</li>") + + _("<li><b>{ab,cd}</b> will expand to one rule to match ab, one rule to match cd</li>") + + "</ul>" + + + _("<b>Clean Exec - for sanitized execution</b>") + + "<br><br>" + + _("The Clean Exec option for the discrete profile and unconstrained +execute permissions provide added security by stripping the +environment that is inherited by the child program of specific +variables. You will be prompted to choose whether you want to sanitize the +enviroment if you choose 'p' or 'u' during the profiling process. +The variables are:") + + + "<ul>" + + "<li>GCONV_PATH</li>" + + "<li>GETCONF_DIR</li>" + + "<li>HOSTALIASES</li>" + + "<li>LD_AUDIT</li>" + + "<li>LD_DEBUG</li>" + + "<li>LD_DEBUG_OUTPUT</li>" + + "<li>LD_DYNAMIC_WEAK</li>" + + "<li>LD_LIBRARY_PATH</li>" + + "<li>LD_ORIGIN_PATH</li>" + + "<li>LD_PRELOAD</li>" + + "<li>LD_PROFILE</li>" + + "<li>LD_SHOW_AUXV</li>" + + "<li>LD_USE_LOAD_BIAS</li>" + + "<li>LOCALDOMAIN</li>" + + "<li>LOCPATH</li>" + + "<li>MALLOC_TRACE</li>" + + "<li>NLSPATH</li>" + + "<li>RESOLV_HOST_CONF</li>" + + "<li>RES_OPTION</li>" + + "<li>TMPDIR</li>" + + "<li>TZDIR</li> </ul>", + + ]; } Modified: trunk/apparmor/src/include/subdomain/profile_dialogs.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/apparmor/src/include/subdomain/profile_dialogs.ycp?rev=56164&r1=56163&r2=56164&view=diff ============================================================================== --- trunk/apparmor/src/include/subdomain/profile_dialogs.ycp (original) +++ trunk/apparmor/src/include/subdomain/profile_dialogs.ycp Mon Mar 16 17:44:35 2009 @@ -36,8 +36,8 @@ capbool = false; }); string info = (string) cdef["info"]:_("<b>Capability Selection</b>. - <br>Select desired capabilities for this profile. - Select a Capability name to see information about the capability."); +<br>Select desired capabilities for this profile. +Select a Capability name to see information about the capability."); string frametitle = " " + _("Capabilities enabled for the profile") + " " + profile + " "; UI::OpenDialog( `VBox( @@ -726,9 +726,10 @@ // Check for no application entry in the dialog if ( hatname == "" ) { Popup::Error(_("You have not given a name for the hat you want to add.\nPlease - enter a hat name to create a new hat, or press Abort to cancel this wizard.")); +enter a hat name to create a new hat, or press Abort to cancel this wizard.")); } else if ( haskey( currentHats, hatname ) ) { - Popup::Error(_("The profile already contains the provided hat name. Please enter a different name to try again, or press Abort to cancel this wizard.")); + Popup::Error(_("The profile already contains the provided hat name. +Please enter a different name to try again, or press Abort to cancel this wizard.")); } else { Settings["CURRENT_HAT"] = hatname; UI::CloseDialog(); @@ -762,11 +763,15 @@ // FIXME: format these texts better /* help text */ - string help1 = _("<p>In this form you can view and modify the contents of an individual profile. For existing entries you can double click the permissions to access a modification dialog.</p>"); + string help1 = _("<p>In this form you can view and modify the contents of an individual profile. +For existing entries you can double click the permissions to access a modification dialog.</p>"); /* help text */ - string help2 = _("<p><b>Permission Definitions:</b><br><code> r - read <br> w - - write<br>l - link<br>m - mmap PROT_EXEC<br>k - file locking<br>a - file append<br>x - execute<br> i - inherit<br> p - discrete profile<br> P - discrete profile <br> (*clean exec)<br> u - unconstrained<br> U -unconstrained<br> (*clean exec)</code></p>"); + string help2 = _("<p><b>Permission Definitions:</b><br><code> r - read <br> +w -write<br>l - link<br>m - mmap PROT_EXEC<br>k - file locking<br> +a - file append<br>x - execute<br> i - inherit<br> p - discrete profile<br> +P - discrete profile <br> (*clean exec)<br> u - unconstrained<br> +U -unconstrained<br> (*clean exec)</code></p>"); /* help text */ string help3 = _("<p><b>Add Entry:</b><br>Select the type of resource to add from the drop down list.</p>"); @@ -778,11 +783,18 @@ /* help text - part x3 */ string help6 = _("<li><b>Capability</b><br>Add a capability entry to this profile</li>"); /* help text - part x4 */ - string help7 = _("<li><b>Include</b><br>Add an include entry to this profile. This option includes the profile entry contents of another file in this profile at load time.</li>"); + string help7 = _("<li><b>Include</b><br>Add an include entry to this profile. This option +includes the profile entry contents of another file in this profile at load time.</li>"); /* help text - part x5 */ - string help_net = _("<li><b>Network Entry</b><br>Add a network rule entry to this profile. This option will allow you to specify network access privileges for the profile. You may specify a network address family and socket type.</li>"); + string help_net = _("<li><b>Network Entry</b><br>Add a network rule entry to this profile. +This option will allow you to specify network access privileges for the profile. +You may specify a network address family and socket type.</li>"); /* help text - part x6 */ - string helpHat = _("<li><b>Hat</b><br>Add a sub-profile for this profile - called a Hat. This option is analagous to manually creating a new profile, which can selected during execution only in the context of being asked for by a <b>changehat aware</b> application. For more information on changehat please see <b>man changehat</b> on your system or the Novell AppArmor Administration Guide.</li>"); + string helpHat = _("<li><b>Hat</b><br>Add a sub-profile for this profile - called a Hat. +This option is analagous to manually creating a new profile, which can selected +during execution only in the context of being asked for by a <b>changehat aware</b> +application. For more information on changehat please see <b>man changehat</b> on your +system or the Novell AppArmor Administration Guide.</li>"); /* help text - part x7 */ string helpEdit = _("</ul></p><p><b>Edit Entry:</b><br>Edit the selected entry.</p>"); @@ -790,9 +802,11 @@ string help8 = _("<p><b>Delete Entry:</b><br>Removes the selected entry from this profile.</p>"); /* help text - part y1 */ - string help9 = _("<p><b>*Clean Exec</b><br>The Clean Exec option for the discrete profile and unconstrained execute permissions provide added security by stripping the environment that is inherited by the child program of specific variables. These variables are:"); + string help9 = _("<p><b>*Clean Exec</b><br>The Clean Exec option for the discrete profile +and unconstrained execute permissions provide added security by stripping the environment +that is inherited by the child program of specific variables. These variables are:"); /* help text - part y2 */ - string help10 = _("<ul> <li>GCONV_PATH</li><li>GETCONF_DIR</li><li>HOSTALIASES</li><li>LD_AUDIT</li><li>LD_DEBUG</li><li>LD_DEBUG_OUTPUT</li><li>LD_DYNAMIC_WEAK</li><li>LD_LIBRARY_PATH</li><li>LD_ORIGIN_PATH</li><li>LD_PRELOAD</li><li>LD_PROFILE</li><li>LD_SHOW_AUXV</li><li>LD_USE_LOAD_BIAS</li><li>LOCALDOMAIN</li><li>LOCPATH</li><li>MALLOC_TRACE</li><li>NLSPATH</li><li>RESOLV_HOST_CONF</li><li>RES_OPTION</li><li>TMPDIR</li><li>TZDIR</li></ul></p>"); + string help10 = "<ul> <li>GCONV_PATH</li><li>GETCONF_DIR</li><li>HOSTALIASES</li><li>LD_AUDIT</li><li>LD_DEBUG</li><li>LD_DEBUG_OUTPUT</li><li>LD_DYNAMIC_WEAK</li><li>LD_LIBRARY_PATH</li><li>LD_ORIGIN_PATH</li><li>LD_PRELOAD</li><li>LD_PROFILE</li><li>LD_SHOW_AUXV</li><li>LD_USE_LOAD_BIAS</li><li>LOCALDOMAIN</li><li>LOCPATH</li><li>MALLOC_TRACE</li><li>NLSPATH</li><li>RESOLV_HOST_CONF</li><li>RES_OPTION</li><li>TMPDIR</li><li>TZDIR</li></ul></p>"; integer listnum = 0; Added: trunk/apparmor/src/include/subdomain/report_helptext.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/apparmor/src/include/subdomain/report_helptext.ycp?rev=56164&view=auto ============================================================================== --- trunk/apparmor/src/include/subdomain/report_helptext.ycp (added) +++ trunk/apparmor/src/include/subdomain/report_helptext.ycp Mon Mar 16 17:44:35 2009 @@ -0,0 +1,158 @@ +/* ------------------------------------------------------------------ +* +* Copyright (C) 2002-2005 Novell/SUSE +* +* This program is free software; you can redistribute it and/or +* modify it under the terms of version 2 of the GNU General Public +* License published by the Free Software Foundation. +* + ------------------------------------------------------------------*/ + +{ + +textdomain "yast2-apparmor"; + +string defs = _("<b>Program Name Pattern:</b><br> When you enter a program name or pattern +that matches the name of the binary executable of the program of +interest, the report will display security events that have +occurred for a specific program.<br>") + + +_("<b>Profile Name Pattern:</b> When you enter the name of the profile, +the report will display the security events that are generated for +the specified profile. You can use this to see what is being confined +by a specific profile.<br>") + + +_("<b>PID Number:</b> Process ID number is a number that uniquely identifies +one specific process or running program (this number is valid only +during the lifetime of that process).<br>") + + +_("<b>Severity Level:</b> Select the lowest severity level for security +events that you would like to be included in the report. The selected +severity level, and above, will be included in the reports.<br>") + + +_("<b>Detail:</b> A source to which the profile has denied access. +This includes capabilities and files. You can use this field to +report the resources are not allowed to be accessed by profiles.<br>") + + +_("<b>Mode:</b> The Mode is the permission that the profile grants +to the program or process to which it is applied. The options are: +r (read) w (write) l (link) x (execute)<br>") + + +_("<b>Access Type:</b> The access type describes what is actually happening +with the security event. The options are: PERMITTING, REJECTING, +or AUDITING.<br>") + + +_("<b>CSV or HTML:</b> Enables you to export a CSV (comma separated +values) or html file. The CSV file separates pieces of data in +the log entries with commas using a standard data format for +importing into table-oriented applications. You can enter a +pathname for your exported report by typing in the full +pathname in the field provided.</p>"); + +string setArchHelp = _("<p>The Report Configuration dialog enables you to filter the archived +report selected in the previous screen. To filter by <b>Date Range:</b>") + + +_("<ol><li>Click <b>Filter By Date Range</b>. The fields become active.</li> +<li>Enter the start and end dates that delineate the scope of the report.</li> + <li>Enter other filtering parameters. See below for definitions of parameters.</li></ol></p>") + + +_("The following definitions help you to enter the filtering parameters in the +Report Configuration Dialog:<br>") + defs; + + +string types = _("<b>Executive Security Summary:</b> A combined report, +consisting of one or more Security incident reports from +one or more machines. This report provides a single view of +security events on multiple machines.<br>") + + +_("<b>Applications Audit Report:</b> An auditing tool that +reports which application servers are running and whether +the applications are confined by AppArmor. Application +servers are applications that accept incoming network connections. <br>") + + +_("<b>Security Incident Report:</b> A report that displays application +security for a single host. It reports policy violations for locally +confined applications during a specific time period. You can edit and +customize this report, or add new versions.</p>"); + +string runHelp = _("<p>The AppArmor On-Demand Report screen displays +an instantly generated version of one of the following +reports:<br>") + types; + + +string filterCfHelp1 = setArchHelp; +/* START Help Section +************************************************************/ + +string repGenHelpText = _("<p><b>Generate Reports Help</b> <p>If there were, in fact, +going to be any help for you (which, incidentally, there isn't going to be), +then you would indeed find said help, here.</p><p>Thank you for your time, +and have a nice day.</p>"); + + + +string schedHelpText = +_("<p>The summary of scheduled reports page shows us when reports are scheduled to run. +Reports can be set to run monthly, weekly, daily, or hourly. The default settings are +daily at midnight. The reports can also be emailed, upon completion, to up to three +email recipients.<br>") + + +_("In the Set Schedule section, you can schedule the following three types of security reports:<br>") + types; + +string archHelpText = _("<p>The View Archive Reports form enables you to view +previously generated reports, located in the /var/log/apparmor/reports-archived +directory. The checkboxes at the top of the form enable you to narrow-down +the category of reports shown in the list to the following: SIR Reports, AUD +Reports, or ESS Reports. To see report details, select a report and click the +<b>View</b> button.<br><br> You can view reports from one or more systems if +you move the reports to the /var/log/apparmor/reports-archived directory.</p>"); + +string mainHelp = schedHelpText; + + +list helpList = [ schedHelpText ]; + +term defaultHelp = `RichText ( schedHelpText ); +term schedHelp = `RichText ( schedHelpText ); +term repGenHelp = `RichText ( repGenHelpText ); +term archHelp = `RichText ( archHelpText ); +term otherHelp = `RichText ( archHelpText ); + +string repConfHelp = _("repConfHelp"); + +string sirHelp = _("<p><b>Security Incident Report (SIR):</b> A report that displays security +events of interest to an administrator. The SIR reports policy violations +for locally confined applications during the specified time period. The SIR +reports policy exceptions and policy engine state changes. These two types +of security events are defined as follows:") + + +_("<ul> <li><b>Policy Exceptions:</b> When an application requests a resource +that's not defined within its profile, a security event is generated.</li> +<li><b>Policy Engine State Changes:</b> Enforces policy for applications and +maintains its own state, including when engines start or stop, when a policy +is reloaded, and when global security feature are enabled or disabled.</li></ul> +Select the report from the archive, then <b>View</b> to see the report details.</p>"); + + +string audHelp = _("<p><b>Applications Audit Report (AUD):</b> An auditing tool +that reports which application servers are running and whether they are confined +by AppArmor. Application servers are applications that accept incoming network +connections. This report provides the host machine's IP Address, the date the +Applications Audit Report ran, the name and path of the unconfined program or +application server, the suggested profile or a placeholder for a profile for an +unconfined program, the process ID number, The state of the program (confined or +unconfined), and the type of confinement that the profile is performing +(enforce/complain).</p>"); + +string essHelp = _("<p><b>Executive Security Summary (ESS):</b> A combined report, +consisting of one or more high-level reports from one or more machines. This +report can provide a single view of security events on multiple machines if each +machine's data is copied to the reports archive directory, which is +<b>/var/log/apparmor/reports-archived</b>. This report provides the host +machine's IP address, the start and end dates of the polled events, total number +of rejects, total number of events, average of severity levels reported, and the +highest severity level reported. One line of the ESS report represents a range +of SIR reports.</p>"); + +} + Modified: trunk/apparmor/src/include/subdomain/sd-config.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/apparmor/src/include/subdomain/sd-config.ycp?rev=56164&r1=56163&r2=56164&view=diff ============================================================================== --- trunk/apparmor/src/include/subdomain/sd-config.ycp (original) +++ trunk/apparmor/src/include/subdomain/sd-config.ycp Mon Mar 16 17:44:35 2009 @@ -9,7 +9,7 @@ ------------------------------------------------------------------*/ { include "subdomain/config_complain.ycp"; -include "subdomain/event_notification_helptext.ycp"; +include "subdomain/helps.ycp"; include "subdomain/apparmor_ycp_utils.ycp"; textdomain "yast2-apparmor"; @@ -162,7 +162,7 @@ ); Wizard::CreateDialog(); - Wizard::SetContentsButtons(_("Security Event Notification"), event_config, EventNotifyHelpText, Label::BackButton(), Label::OKButton()); + Wizard::SetContentsButtons(_("Security Event Notification"), event_config, helps["EventNotifyHelpText"]:"", Label::BackButton(), Label::OKButton()); Wizard::DisableBackButton(); any ntInput = nil; @@ -317,7 +317,14 @@ /* Network dialog caption */ string caption = _("AppArmor Configuration"); - string help = _("<p><b>AppArmor Status</b><br>This reports whether the AppArmor policy enforcement module is loaded and functioning.</p> <p><b>Security Event Notification</b><br>Configure this tool if you want to be notified by email when access violations have occurred.</p> <p><b>Profile Modes</b><br>Use this tool to change the way that AppArmor uses individual profiles.</p>"); + string help = _("<p><b>AppArmor Status</b><br>This reports whether the AppArmor policy enforcement +module is loaded and functioning.</p>") + + +_("<p><b>Security Event Notification</b><br>Configure this tool if you want +to be notified by email when access violations have occurred.</p>") + + +_("<p><b>Profile Modes</b><br>Use this tool to change the way that AppArmor +uses individual profiles.</p>"); term contents = `HVCenter( -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org