Novell APPARMOR Admin Manual page 58

U s e r ' s G u i d e
file (see Figure 1 below)
• Or a program is executed by the profiled program and the security
domain transition has not been defined (see Figure 2 below).
Each of these cases results in a series of questions that you must
answer to add the resource to the profile or to add the program into
the profile. The following two figures show an example of each
case. Subsequent steps describe your options in answering these
questions.
Figure 1: The Learning Mode exception requires you to allow or
deny access to a specific resource.
Reading log entries from /var/log/messages.
Updating subdomain profiles in /etc/subdomain.d.
Profile: /usr/sbin/xinetd
Execute: /usr/sbin/vsftpd
[(I)nherit] / (P)rofile / (U)nconstrained / (D)eny /
Abo(r)t / (F)inish)
Dealing with execute accesses is complex. You must decide which of
the three kinds of execute permissions you intend to grant the program
• Inherit (ix): T h e c h i l d i n h e r i t s t h e p a r e n t ' s p r o f i l e , i . e . r u n s w i t h t h e
same access controls as the parent. This mode is useful when a
confined program needs to call another confined program without
gaining the permissions of the target's profile, or losing the permis-
sions of the current profile. This mode is often used when the child
p r o g r a m i s a " h e l p e r a p p l i c a t i o n " , s u c h a s t h e /usr/bin/mail cli-
ent using the less program as a pager, or the Mozilla web
browser using the acrobat program to display PDF files.
• profile (px): The child runs using its own profile, which must be
loaded into the kernel. If the profile is not present, then attempts to
execute the child will fail with permission denied. This is most useful
if the parent program is invoking a global service, such as DNS
l o o k u p s o r s e n d i n g ma i l v i a y o u r s y s t e m' s MT A .
58