Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 214

profile /usr/bin/foo {
...
}
/usr/bin/foo {
...
}
Unattached profiles are never used automatically, nor can they be transitioned to through
a px rule. They need to be attached to a program by either using a named profile tran-
sition (see
change_profile rule (see
Unattached profiles are useful for specialized profiles for system utilities that generally
should not be confined by a system wide profile (for example, /bin/bash). They
can also be used to set up roles or to confine a user.
21.2.3 Local Profiles
Local profiles provide a convenient way to provide specialized confinement for utility
programs launched by a confined application. They are specified just like standard
profiles except they are embedded in a parent profile and begin with the profile
keyword:
/parent/profile {
...
profile local/profile {
}
}
To transition to a local profile, either use a cx rule (see
Profile Execute Mode (cx)"
"Named Profile Transitions"
21.2.4 Hats
AppArmor "hats" are a local profiles with some additional restrictions and an implicit
rule allowing for change_hat to be used to transition to them. Refer to
Profiling Your Web Applications Using ChangeHat
202 Security Guide
Section 21.8.7, "Named Profile Transitions"
...
(page 212)) or a named profile transition (see
Section 21.2.5, "Change rules"
(page 214)).
(page 214)) or with the
(page 203)).
Section 21.8.2, "Discrete Local
(page 275) for a detailed description.
Section 21.8.7,
Chapter 25,