Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 291

Choosing Add Requested Hat in the previous step creates a new hat in the profile
and specifies that the results of subsequent questions about the script's actions
are added to the newly created hat rather than the default hat for this application.
In the next screen, Novell AppArmor displays an external program that the script
executed. You can specify that the program should run confined by the phpsys-
info hat (choose Inherit), confined by a separate profile (choose Profile), or that
it should run unconfined or without any security profile (choose Unconfined).
For the case of the Profile option, a new profile is created for the program if one
does not already exist.
NOTE: Security Considerations
Selecting Unconfined can create a significant security hole and should
be done with caution.
8a Select Inherit for the /bin/bash path. This adds /bin/bash (accessed
by Apache) to the phpsysinfo hat profile with the necessary permissions.
8b Click Allow.
9 The remaining questions prompt you to generate new hats and add entries to your
profile and its hats. The process of adding entries to profiles is covered in detail
in the Section 23.1, "Adding a Profile Using the Wizard"
When all profiling questions are answered, click Finish to save your changes
and exit the wizard.
The following is an example phpsysinfo hat.
Profiling Your Web Applications Using ChangeHat
(page 227).
279