User
’
s
Gui
de
58
file
(see
Figure 1
below)
•
Or a
program is executed by the profiled program and the security
domain transition has not been defined
(see
Figure 2
below).
Each of these cases results in a series of questions that you must
answer to add the resource to the profile or to add the program into
the profile. The following two figures show an example of each
case. Subsequent steps describe your options in answering these
questions.
Figure 1:
The Learning Mode exception requires you to allow or
deny access to a specific resource.
Dealing with execute accesses is complex. You must decide which of
the three kinds of execute permissions you intend to grant the program
•
Inherit (ix):
The
chi
l
d
i
nher
i
t
s
t
he
par
ent
’
s
pr
of
i
l
e,
i
.
e.
r
uns
wi
t
h
t
he
same access controls as the parent. This mode is useful when a
confined program needs to call another confined program without
gaining the permissions of the target's profile, or losing the permis-
sions of the current profile. This mode is often used when the child
pr
ogr
am
i
s
a
“
hel
per
appl
i
cat
i
on”
,
such
as
t
he
/usr/bin/mail
cli-
ent using the
less
program as a pager, or the
Mozilla
web
browser using the
acrobat
program to display PDF files.
•
profile (px):
The child runs using its own profile, which must be
loaded into the kernel. If the profile is
not
present, then attempts to
execute the child will fail with permission denied. This is most useful
if the parent program is invoking a global service, such as DNS
l
ookups
or
sendi
ng
mai
l
vi
a
your
syst
em’
s
MTA.
Reading log entries from /var/log/messages.
Updating subdomain profiles in /etc/subdomain.d.
Profile: /usr/sbin/xinetd
Execute: /usr/sbin/vsftpd
[(I)nherit] / (P)rofile / (U)nconstrained / (D)eny /
Abo(r)t / (F)inish)
