/*.jpg
. Doing so collapses all previous rules granting access to individual
.jpg
files
and forestalls any future questions pertaining to access to
.jpg
files.
Finally, you might want to grant more general access to FTP files. If you select Glob
in the last entry, aa-logprof replaces the suggested path of
/y2k.jpg
with
/*
. Alter-
natively, you might want to grant even more access to the entire directory tree, in which
case you could use the New path option and enter
/**.jpg
(which would grant access
to all
.jpg
files in the entire directory tree) or
/**
(which would grant access to all
files in the directory tree).
The above deal with read accesses. Write accesses are similar, except that it is good
policy to be more conservative in your use of regular expressions for write accesses.
Dealing with execute accesses is more complex. You must decide which execute per-
missions to grant:
inherit (ix)
The child inherits the parent's profile, running with the same access controls as the
parent. This mode is useful when a confined program needs to call another confined
program without gaining the permissions of the target's profile or losing the permis-
sions of the current profile. This mode is often used when the child program is a
helper application, such as the
/usr/bin/mail
client using the less program
as a pager or the Mozilla Web browser using the Acrobat program to display PDF
files.
profile (px)
The child runs using its own profile, which must be loaded into the kernel. If the
profile is not present, attempts to execute the child fail with permission denied.
This is most useful if the parent program is invoking a global service, such as DNS
lookups or sending mail via your system's MTA.
Choose the profile with clean exec (Px) option to scrub the environment of environ-
ment variables that could modify execution behavior when passed on to the child
process.
unconfined (ux)
The child runs completely unconfined without any Novell AppArmor profile applied
to the executed resource.
Choose the unconfined with clean exec (Ux) option to scrub the environment of
environment variables that could modify execution behavior when passed on to
Building Profiles via the Command Line
65