Novell APPARMOR Admin Manual page 64

U s e r ' s G u i d e
path is modified while retaining the filename extension. With one
click, /etc/apache2/file.ext becomes /etc/apache2/*.ext, adding the
wildcard (asterisk) in place of the file name. This will allow the pro-
gram to access all files in the suggested directory that end with the
".ext" extension. When you select it twice, access will be granted to
all files (with the particular extension) and subdirectories beneath
the one shown.
• "E"dit: Select Edit to edit the highlighted line. The new line will
appear at the bottom of the list.
• Abo"r"t: Aborts logprof, dumping all rule changes entered so
far and leaving all profiles unmodified.
• "F"inish: Closes logprof, saving all rule changes entered so far
and modifying all profiles.
Logprof Example 2
In an example from profiling vsftpd, we see this question:
Profile:
Path:
New Mode: r
[1 - /y2k.jpg]
(A)llow / [(D)eny] / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t
/ (F)inish
Several items of interest appear in this question. First, note that
vsftpd is asking for a path entry at the top of the tree, even though
vsftpd by default on SuSE LINUX Enterprise Server 9 serves FTP
files from /srv/ftp. This is because httpd2-prefork uses
chroot, and for the portion of the code inside the chroot jail, Novell
AppArmor sees file accesses in terms of the chroot environment,
rather than the global absolute path.
The second item of interest is that we may want to grant FTP read
access to all of the JPEG files in the directory, and so we could use the
Glob w/"E"xt and use the suggested path of "/*.jpg" . D o i n g s o w i l l
collapse all previous rules granting access to individual .jpg files, and
forestall any future questions pertaining to access to .jpg files.
64
vsftpd
/usr/sbin/
/y2k.jpg