Sorry, forgot to include the list On Tue, Sep 22, 2015 at 11:03 AM, Robert Munteanu <[email protected]> wrote: > On Tue, Sep 22, 2015 at 11:00 AM, John Johansen > <[email protected]> wrote: >> On 09/22/2015 12:19 AM, Robert Munteanu wrote: >>> On Tue, Sep 22, 2015 at 10:02 AM, John Johansen >>> <[email protected]> wrote: >>>> On 09/21/2015 11:35 PM, Robert Munteanu wrote: >>>>> Hi John, >>>>> >>>>> On Tue, Sep 22, 2015 at 12:11 AM, John Johansen >>>>> <[email protected]> wrote: >>>>>> On 09/21/2015 07:33 AM, Robert Munteanu wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I'm running apparmor 2.9.1, Kernel 3.16.7-24-default on openSUSE 13.2 >>>>>>> x86_64. During my attempts to configure and enable apparmor I hit a >>>>>>> roadblock which I can't get out of. I created a >>>>>>> usr.sbin.httpd2-prefork profile to match the apache installation from >>>>>>> openSUSE. ( see diff at the end, I can find nothing relevant ). >>>>>>> >>>>>>> Trying to put the module into enforce mode leads to an error parsing >>>>>>> /etc/apparmor.d/tunables/home: >>>>>>> >>>>>>> # aa-enforce usr.sbin.httpd2-prefork >>>>>>> Setting /etc/apparmor.d/usr.sbin.httpd2-prefork to enforce mode. >>>>>>> Traceback (most recent call last): >>>>>>> File "/usr/sbin/aa-enforce", line 30, in <module> >>>>>>> tool.cmd_enforce() >>>>>>> File "/usr/lib/python3.4/site-packages/apparmor/tools.py", line 166, >>>>>>> in cmd_enforce >>>>>>> raise apparmor.AppArmorException(cmd_info[1]) >>>>>>> apparmor.common.AppArmorException: 'AppArmor parser error for >>>>>>> /etc/apparmor.d/usr.sbin.httpd2-prefork in >>>>>>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected >>>>>>> TOK_EQUALS, expecting TOK_MODE\n' >>>>>>> >>>>>>> The tunables/home file is unchanged. >>>>>>> >>>>>>> This looks a lot like >>>>>>> https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1487536 , but >>>>>>> I don't have an ubuntu machine to use apport for adding more >>>>>>> information. >>>>>>> >>>>>>> How can I debug/fix this issue? >>>>>>> >>>>>> Hi Robert I am not sure what is going on from the provided info. However >>>>>> we can manually work around this if needed. >>>>>> >>>>>> if you do >>>>>> sudo apparmor_parser -r usr.sbin.httpd2-prefork >>>>>> >>>>>> does it succeed? >>>>> >>>>> No, same error: >>>>> >>>>> # apparmor_parser -r usr.sbin.httpd2-prefork >>>>> AppArmor parser error for usr.sbin.httpd2-prefork in >>>>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected >>>>> TOK_EQUALS, expecting TOK_MODE >>>>> >>>>>> >>>>>> To manually put the profile in enforce mode, you need to make sure it is >>>>>> not tagged as being in complain mode. This can be done by setting a >>>>>> symlink in /etc/apparmor.d/force-complain or by directly setting the >>>>>> flag in the profile file. Eg. >>>>>> >>>>>> /etc/apparmor.d/usr.sbin.httpd2-prefork >>>>> >>>>> I guess I would break more stuff my manually putting the profile in >>>>> enforce mode if it's not parseable ... >>>>> >>>> can you attach the output of >>>> apparmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork >>>> >>>> that will give us a flattened dump of the profile with all its includes >>>> expanded >>> >>> Sure, attached. I find it strange that the output ends with a >>> >>> @{HOME}= >>> >>> line, which would explain the error. However, I don't have such a line >>> in my /etc/apparmor.d directory >>> >> So this is an artifact of how the parser is processing variables. >> >> The defines are read and partially processed during the preprocessing phase >> of >> the parse and it is choking on @{HOME}= being assigned inside of the profile >> scope (currently vars can only be defined in the header). >> >> What you need to look for is a file in <apache2.d> that is including >> <tunables/global> > > That's right , there's a apache2.d/wordpress file which has that include > > Removing it makes the error go away, which is good. On the other hand, > the wordpress file, which contains > > ^wordpress { > #include <abstractions/base> > #include <abstractions/nameservice> > #include <abstractions/apache2-common> > #include <abstractions/php5> > /srv/www/wordpress/ r, > /srv/www/wordpress/** r, > /srv/www/wordpress/wp-content/** w, > /var/log/apache2/** w, > /srv/www/mod_pagespeed/cache/** w, > /etc/wordpress/wp-config.php r, > @{PROC}/@{pid}/statm r, > } > > makes apparmor_parser complain: > > $ apparmor_parser -r wordpress > Found reference to variable PROC, but is never declared > > Robert > -- > http://robert.muntea.nu/
-- http://robert.muntea.nu/ -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
