Comment 8 for bug 1014304

Minimal testcase:

Save this profile as /etc/apparmor.d/home.cb.linuxtag.apparmor.scripts.hello

/home/cb/linuxtag/apparmor/scripts/hello {
  /home/cb/linuxtag/apparmor/scripts/hello r,
  /home/sys-tmp/hello.txt w,
}

Then create a file audit-1014304.log and add the following 3 lines to it:

type=AVC msg=audit(1408292461.263:527): apparmor="ALLOWED" operation="exec" profile="/home/cb/linuxtag/apparmor/scripts/hello" name="/usr/bin/cat" pid=16989 comm="hello" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/home/cb/linuxtag/apparmor/scripts/hello//null-3"
type=AVC msg=audit(1408292461.264:533): apparmor="ALLOWED" operation="file_mprotect" profile="/home/cb/linuxtag/apparmor/scripts/hello//null-3" name="/usr/bin/cat" pid=16989 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1408292461.265:564): apparmor="ALLOWED" operation="open" profile="/home/cb/linuxtag/apparmor/scripts/hello//null-3" name="/home/sys-tmp/hello.txt" pid=16989 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Run "aa-logprof -f audit-1014304.log", select "(C)hild" for cat, "(A)llow" for hello.txt and save the modified profile.

Run "aa-logprof -f audit-1014304.log" again - it will propose read access for cat and hello.txt in the main profile (which does _not_ require those permissions)