Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 281

Glob w/Ext
This modifies the original directory path while retaining the filename extension.
For example, /etc/apache2/file.ext becomes /etc/apache2/*.ext,
adding the wild card (asterisk) in place of the filename. This allows the program
to access all files in the suggested directory that end with the .ext extension.
Abort
Aborts aa-logprof, losing all rule changes entered so far and leaving all profiles
unmodified.
Finish
Closes aa-logprof, saving all rule changes entered so far and modifying all profiles.
aa-logprof Example 2
For example, when profiling vsftpd, see this question:
Profile: /usr/sbin/vsftpd
Path: /y2k.jpg
New Mode: r
[1 - /y2k.jpg]
(A)llow / [(D)eny] / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish
Several items of interest appear in this question. First, note that vsftpd is asking for a
path entry at the top of the tree, even though vsftpd on SUSE Linux Enterprise Desktop
serves FTP files from /srv/ftp by default. This is because httpd2-prefork uses chroot
and, for the portion of the code inside the chroot jail, AppArmor sees file accesses in
terms of the chroot environment rather than the global absolute path.
The second item of interest is that you might want to grant FTP read access to all JPEG
files in the directory, so you could use Glob w/Ext and use the suggested path of
/*.jpg. Doing so collapses all previous rules granting access to individual .jpg files
and forestalls any future questions pertaining to access to .jpg files.
Finally, you might want to grant more general access to FTP files. If you select Glob
in the last entry, aa-logprof replaces the suggested path of /y2k.jpg with /*. Alter-
natively, you might want to grant even more access to the entire directory tree, in which
case you could use the New path option and enter /**.jpg (which would grant access
Building Profiles from the Command Line 269