Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 324

to all .jpg files in the entire directory tree) or /** (which would grant access to all
files in the directory tree).
These items deal with read accesses. Write accesses are similar, except that it is good
policy to be more conservative in your use of regular expressions for write accesses.
Dealing with execute accesses is more complex. Find an example in
"Learning Mode Exception: Controlling Access to Specific Resources"
In the following example, the /usr/bin/mail mail client is being profiled and aa-
logprof has discovered that /usr/bin/mail executes /usr/bin/less as a helper
application to "page" long mail messages. Consequently, it presents this prompt:
/usr/bin/nail -> /usr/bin/less
(I)nherit / (P)rofile / (U)nconfined / (D)eny
TIP
The actual executable file for /usr/bin/mail turns out to be /usr/bin/
nail, which is not a typographical error.
The program /usr/bin/less appears to be a simple one for scrolling through text
that is more than one screen long and that is in fact what /usr/bin/mail is using
it for. However, less is actually a large and powerful program that makes use of many
other helper applications, such as tar and rpm.
TIP
Run less on a tar file or an RPM file and it shows you the inventory of these
containers.
You do not want to run rpm automatically when reading mail messages (that leads di-
rectly to a Microsoft* Outlook–style virus attack, because rpm has the power to install
and modify system programs), so, in this case, the best choice is to use Inherit. This
results in the less program executed from this context running under the profile for
/usr/bin/mail. This has two consequences:
• You need to add all of the basic file accesses for /usr/bin/less to the profile
for /usr/bin/mail.
310 Security Guide
Example 24.1,
(page 300).