apparmor/profiles/extras/README

The profiles in this directory are not turned on by default because they
are not as mature as the profiles in /etc/apparmor.d/.

In some cases, it is because the profile hasn't been updated to work
with newer code; in other cases, it because any benefit provided by the
profile is much less than the potential for causing problems.

In short, feel free to try these profiles if you wish, but be aware that
they may not work on default configurations, let alone your specific
configuration.

To use, for example, the postfix profiles, we recommend running commands
such as:

  # cd /etc/apparmor/profiles/extras
  # mv *postfix* usr.sbin.post* /etc/apparmor.d/
  # mv usr.bin.procmail usr.sbin.sendmail /etc/apparmor.d/
  # aa-complain /etc/apparmor.d/*postfix*
  # aa-complain /etc/apparmor.d/usr.sbin.post*
  # aa-complain /etc/apparmor.d/usr.bin.procmail
  # aa-complain /etc/apparmor.d/usr.sbin.sendmail
  # rcapparmor restart
    <use postfix>
  # aa-logprof
    <answer some questions>

Once you've used the profiles enough to feel confident that they will
work for your situation, then run commands such as the following:

  # aa-enforce /etc/apparmor.d/*postfix*
  # aa-enforce /etc/apparmor.d/usr.sbin.post*
  # aa-enforce /etc/apparmor.d/usr.bin.procmail 
  # aa-enforce /etc/apparmor.d/usr.sbin.sendmail

You may use the aa-unconfined tool to make sure your profiles are
working as you expect.

Feedback on these unsupported profiles is welcomed; any
contributions for this directory should be clearly licensed
-- we recommend using the GPL. Please mail suggestions or
modifications to the apparmor-general@forge.novell.com mail list:
http://forge.novell.com/mailman/listinfo/apparmor-general

Thanks