Comment 14 for bug 157952

Here you go

# $Id: logprof.conf 981 2007-09-17 03:28:26Z DominicReynolds_ $
# ------------------------------------------------------------------
#
# Copyright (C) 2004-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

[settings]
  profiledir = /etc/apparmor.d /etc/subdomain.d
  inactive_profiledir = /usr/share/doc/apparmor-profiles/extras
  logfiles = /var/log/audit/audit.log /var/log/messages /var/log/syslog

  parser = /sbin/apparmor_parser /sbin/subdomain_parser
  ldd = /usr/bin/ldd
  logger = /bin/logger /usr/bin/logger

  # custom directory locations to look for #includes
  #
  # each name should be a valid directory containing possible #include
  # candidate files under the profile dir which by default is /etc/apparmor.d.
  #
  # So an entry of my-includes will allow /etc/apparmor.d/my-includes to
  # be used by the yast UI and profiling tools as a source of #include
  # files.
  custom_includes =

[repository]
  distro = ubuntu-gutsy
  url = http://apparmor.test.opensuse.org/backend/api
  preferred_user = ubuntu

[qualifiers]
  # things will be painfully broken if bash has a profile
  /bin/bash = iu
  /bin/ksh = iu

  # these programs can't function if they're confined
  /bin/mount = u
  /etc/init.d/subdomain = u
  /sbin/cardmgr = u
  /sbin/subdomain_parser = u
  /usr/sbin/genprof = u
  /usr/sbin/logprof = u
  /usr/lib/YaST2/servers_non_y2/ag_genprof = u
  /usr/lib/YaST2/servers_non_y2/ag_logprof = u

  # these ones shouln't have their own profiles
  /bin/awk = i
  /bin/cat = i
  /bin/chmod = i
  /bin/chown = i
  /bin/cp = i
  /bin/gawk = i
  /bin/grep = i
  /bin/gunzip = i
  /bin/gzip = i
  /bin/kill = i
  /bin/ln = i
  /bin/ls = i
  /bin/mkdir = i
  /bin/mv = i
  /bin/readlink = i
  /bin/rm = i
  /bin/sed = i
  /bin/touch = i
  /sbin/killall5 = i
  /usr/bin/find = i
  /usr/bin/killall = i
  /usr/bin/nice = i
  /usr/bin/perl = i
  /usr/bin/tr = i

[required_hats]
  ^.+/apache(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
  ^.+/httpd(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT

[defaulthat]
  ^.+/apache(|2|2-prefork)$ = DEFAULT_URI
  ^.+/httpd(|2|2-prefork)$ = DEFAULT_URI

[globs]
  # /foo/bar/lib/libbaz.so -> /foo/bar/lib/lib*
  /lib/lib[^\/]+so[^\/]*$ = /lib/lib*so*

  # strip kernel version numbers from kernel module accesses
  ^/lib/modules/[^\/]+\/ = /lib/modules/*/

  # strip pid numbers from /proc accesses
  ^/proc/\d+/ = /proc/*/

  # if it looks like a home directory, glob out the username
  ^/home/[^\/]+ = /home/*

  # if they use any perl modules, grant access to all
  ^/usr/lib/perl5/.+$ = /usr/lib/perl5/**

  # locale foo
  ^/usr/lib/locale/.+$ = /usr/lib/locale/**
  ^/usr/share/locale/.+$ = /usr/share/locale/**

  # timezone fun
  ^/usr/share/zoneinfo/.+$ = /usr/share/zoneinfo/**

  # /foobar/fonts/baz -> /foobar/fonts/**
  /fonts/.+$ = /fonts/**

  # turn /foo/bar/baz.8907234 into /foo/bar/baz.*
  # BUGBUG - this one looked weird because it would suggest a glob for
  # BUGBUG - libfoo.so.5.6.0 that looks like libfoo.so.5.6.*
  # \.\d+$ = .*

  # some various /etc/security poo -- dunno about these ones...
  ^/etc/security/_[^\/]+$ = /etc/security/*
  ^/lib/security/pam_filter/[^\/]+$ = /lib/security/pam_filter/*
  ^/lib/security/pam_[^\/]+\.so$ = /lib/security/pam_*.so

  ^/etc/pam.d/[^\/]+$ = /etc/pam.d/*
  ^/etc/profile.d/[^\/]+\.sh$ = /etc/profile.d/*.sh