On 09/21/2015 11:35 PM, Robert Munteanu wrote: > Hi John, > > On Tue, Sep 22, 2015 at 12:11 AM, John Johansen > <[email protected]> wrote: >> On 09/21/2015 07:33 AM, Robert Munteanu wrote: >>> Hi, >>> >>> I'm running apparmor 2.9.1, Kernel 3.16.7-24-default on openSUSE 13.2 >>> x86_64. During my attempts to configure and enable apparmor I hit a >>> roadblock which I can't get out of. I created a >>> usr.sbin.httpd2-prefork profile to match the apache installation from >>> openSUSE. ( see diff at the end, I can find nothing relevant ). >>> >>> Trying to put the module into enforce mode leads to an error parsing >>> /etc/apparmor.d/tunables/home: >>> >>> # aa-enforce usr.sbin.httpd2-prefork >>> Setting /etc/apparmor.d/usr.sbin.httpd2-prefork to enforce mode. >>> Traceback (most recent call last): >>> File "/usr/sbin/aa-enforce", line 30, in <module> >>> tool.cmd_enforce() >>> File "/usr/lib/python3.4/site-packages/apparmor/tools.py", line 166, >>> in cmd_enforce >>> raise apparmor.AppArmorException(cmd_info[1]) >>> apparmor.common.AppArmorException: 'AppArmor parser error for >>> /etc/apparmor.d/usr.sbin.httpd2-prefork in >>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected >>> TOK_EQUALS, expecting TOK_MODE\n' >>> >>> The tunables/home file is unchanged. >>> >>> This looks a lot like >>> https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1487536 , but >>> I don't have an ubuntu machine to use apport for adding more >>> information. >>> >>> How can I debug/fix this issue? >>> >> Hi Robert I am not sure what is going on from the provided info. However >> we can manually work around this if needed. >> >> if you do >> sudo apparmor_parser -r usr.sbin.httpd2-prefork >> >> does it succeed? > > No, same error: > > # apparmor_parser -r usr.sbin.httpd2-prefork > AppArmor parser error for usr.sbin.httpd2-prefork in > /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected > TOK_EQUALS, expecting TOK_MODE > >> >> To manually put the profile in enforce mode, you need to make sure it is >> not tagged as being in complain mode. This can be done by setting a >> symlink in /etc/apparmor.d/force-complain or by directly setting the >> flag in the profile file. Eg. >> >> /etc/apparmor.d/usr.sbin.httpd2-prefork > > I guess I would break more stuff my manually putting the profile in > enforce mode if it's not parseable ... > can you attach the output of apparmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork
that will give us a flattened dump of the profile with all its includes expanded -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
