On 09/22/2015 01:13 AM, Robert Munteanu wrote: > On Tue, Sep 22, 2015 at 11:09 AM, John Johansen > <[email protected]> wrote: >> << snip >> >> >>>>>> Sure, attached. I find it strange that the output ends with a >>>>>> >>>>>> @{HOME}= >>>>>> >>>>>> line, which would explain the error. However, I don't have such a line >>>>>> in my /etc/apparmor.d directory >>>>>> >>>>> So this is an artifact of how the parser is processing variables. >>>>> >>>>> The defines are read and partially processed during the preprocessing >>>>> phase of >>>>> the parse and it is choking on @{HOME}= being assigned inside of the >>>>> profile >>>>> scope (currently vars can only be defined in the header). >>>>> >>>>> What you need to look for is a file in <apache2.d> that is including >>>>> <tunables/global> >>>> >>>> That's right , there's a apache2.d/wordpress file which has that include >>>> >>>> Removing it makes the error go away, which is good. On the other hand, >>>> the wordpress file, which contains >>>> >>>> ^wordpress { >>>> #include <abstractions/base> >>>> #include <abstractions/nameservice> >>>> #include <abstractions/apache2-common> >>>> #include <abstractions/php5> >>>> /srv/www/wordpress/ r, >>>> /srv/www/wordpress/** r, >>>> /srv/www/wordpress/wp-content/** w, >>>> /var/log/apache2/** w, >>>> /srv/www/mod_pagespeed/cache/** w, >>>> /etc/wordpress/wp-config.php r, >>>> @{PROC}/@{pid}/statm r, >>>> } >>>> >>>> makes apparmor_parser complain: >>>> >>>> $ apparmor_parser -r wordpress >>>> Found reference to variable PROC, but is never declared >>>> >> >> strange, @{PROC} is definitely defined earlier, >> >> can you provide me an updated output for >> apparmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork > > Sure, it's attached. > > The question is though - should I call apparmor_parser on > apache.d/wordpress ( which is a fragment ) or is it enough to call it > on usr.sbin.httpd2-prefork ? >
ah I missed that! So you should only need to call it on usr.sbin.httpd2-prefork, the fragments do not contain enough information to be properly parsed and inserted directly. You will end up with errors like the one above. Looking at the dump you attached the ^wordpress child profile is in it and would be loaded as part of usr.sbin.httpd2-prefork If you want to be able to call/load the children profiles separate from the usr.sbin.httpd2-prefork profile I can walk you through the changes that would be needed, but I will spare you the details unless you ask for it. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
