#include
statements are directives that pull in
components of other Novell AppArmor profiles to simplify profiles. Include files
fetch access permissions for programs. By using an include, you can give
the program access to directory paths or files that are also required by
other programs. Using includes can reduce the size of a profile.
By default, AppArmor adds /etc/apparmor.d
to the path in
the #include
statement. AppArmor expects the include files
to be located in /etc/apparmor.d
. Unlike other
profile statements (but similar to C programs),
#include
lines do not end with a comma.
To assist you in profiling your applications, Novell AppArmor provides three
classes of #include
s: abstractions, program chunks and
tunables.
Abstractions are #include
s that are grouped by common
application tasks. These tasks include access to authentication
mechanisms, access to name service routines, common graphics
requirements, and system accounting. Files listed in these abstractions
are specific to the named task. Programs that require one of these files
usually require some of the other files listed in the abstraction file
(depending on the local configuration as well as the specific
requirements of the program). Find abstractions in
/etc/apparmor.d/abstractions
.
The program-chunks directory
(/etc/apparmor.d/program-chunks
) contains some
chunks of profiles that are specific to program suites and not generally
useful outside of the suite, thus are never suggested for use in
profiles by the profile wizards (aa-logprof and aa-genprof). Currently
program chunks are only available for the postfix program suite.
The tunables directory (/etc/apparmor.d/tunables
)
contains global variable definitions. When used in a profile, these
variables expand to a value that can be changed without changing the
entire profile. Add all the tunables definitions that should be
available to every profile to
/etc/apparmor.d/tunables/global
.