On Tue, Sep 22, 2015 at 10:02 AM, John Johansen <[email protected]> wrote: > On 09/21/2015 11:35 PM, Robert Munteanu wrote: >> Hi John, >> >> On Tue, Sep 22, 2015 at 12:11 AM, John Johansen >> <[email protected]> wrote: >>> On 09/21/2015 07:33 AM, Robert Munteanu wrote: >>>> Hi, >>>> >>>> I'm running apparmor 2.9.1, Kernel 3.16.7-24-default on openSUSE 13.2 >>>> x86_64. During my attempts to configure and enable apparmor I hit a >>>> roadblock which I can't get out of. I created a >>>> usr.sbin.httpd2-prefork profile to match the apache installation from >>>> openSUSE. ( see diff at the end, I can find nothing relevant ). >>>> >>>> Trying to put the module into enforce mode leads to an error parsing >>>> /etc/apparmor.d/tunables/home: >>>> >>>> # aa-enforce usr.sbin.httpd2-prefork >>>> Setting /etc/apparmor.d/usr.sbin.httpd2-prefork to enforce mode. >>>> Traceback (most recent call last): >>>> File "/usr/sbin/aa-enforce", line 30, in <module> >>>> tool.cmd_enforce() >>>> File "/usr/lib/python3.4/site-packages/apparmor/tools.py", line 166, >>>> in cmd_enforce >>>> raise apparmor.AppArmorException(cmd_info[1]) >>>> apparmor.common.AppArmorException: 'AppArmor parser error for >>>> /etc/apparmor.d/usr.sbin.httpd2-prefork in >>>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected >>>> TOK_EQUALS, expecting TOK_MODE\n' >>>> >>>> The tunables/home file is unchanged. >>>> >>>> This looks a lot like >>>> https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1487536 , but >>>> I don't have an ubuntu machine to use apport for adding more >>>> information. >>>> >>>> How can I debug/fix this issue? >>>> >>> Hi Robert I am not sure what is going on from the provided info. However >>> we can manually work around this if needed. >>> >>> if you do >>> sudo apparmor_parser -r usr.sbin.httpd2-prefork >>> >>> does it succeed? >> >> No, same error: >> >> # apparmor_parser -r usr.sbin.httpd2-prefork >> AppArmor parser error for usr.sbin.httpd2-prefork in >> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected >> TOK_EQUALS, expecting TOK_MODE >> >>> >>> To manually put the profile in enforce mode, you need to make sure it is >>> not tagged as being in complain mode. This can be done by setting a >>> symlink in /etc/apparmor.d/force-complain or by directly setting the >>> flag in the profile file. Eg. >>> >>> /etc/apparmor.d/usr.sbin.httpd2-prefork >> >> I guess I would break more stuff my manually putting the profile in >> enforce mode if it's not parseable ... >> > can you attach the output of > apparmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork > > that will give us a flattened dump of the profile with all its includes > expanded
Sure, attached. I find it strange that the output ends with a
@{HOME}=
line, which would explain the error. However, I don't have such a line
in my /etc/apparmor.d directory
srv001:/etc/apparmor.d # grep -E '^@\{HOME' -R .
./tunables/home:@{HOME}=@{HOMEDIRS}/*/ /root/
./tunables/home:@{HOMEDIRS}=/home/
Thanks,
Robert
--
http://robert.muntea.nu/
httpd-prefork-expanded
Description: Binary data
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
