[apparmor] Apparmor parser error ... syntax error, unexpected TOK_EQUALS, expecting TOK_MODE
Robert Munteanu
robert.munteanu at gmail.com
Tue Sep 22 06:35:09 UTC 2015
Hi John,
On Tue, Sep 22, 2015 at 12:11 AM, John Johansen
<john.johansen at canonical.com> wrote:
> On 09/21/2015 07:33 AM, Robert Munteanu wrote:
>> Hi,
>>
>> I'm running apparmor 2.9.1, Kernel 3.16.7-24-default on openSUSE 13.2
>> x86_64. During my attempts to configure and enable apparmor I hit a
>> roadblock which I can't get out of. I created a
>> usr.sbin.httpd2-prefork profile to match the apache installation from
>> openSUSE. ( see diff at the end, I can find nothing relevant ).
>>
>> Trying to put the module into enforce mode leads to an error parsing
>> /etc/apparmor.d/tunables/home:
>>
>> # aa-enforce usr.sbin.httpd2-prefork
>> Setting /etc/apparmor.d/usr.sbin.httpd2-prefork to enforce mode.
>> Traceback (most recent call last):
>> File "/usr/sbin/aa-enforce", line 30, in <module>
>> tool.cmd_enforce()
>> File "/usr/lib/python3.4/site-packages/apparmor/tools.py", line 166,
>> in cmd_enforce
>> raise apparmor.AppArmorException(cmd_info[1])
>> apparmor.common.AppArmorException: 'AppArmor parser error for
>> /etc/apparmor.d/usr.sbin.httpd2-prefork in
>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected
>> TOK_EQUALS, expecting TOK_MODE\n'
>>
>> The tunables/home file is unchanged.
>>
>> This looks a lot like
>> https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1487536 , but
>> I don't have an ubuntu machine to use apport for adding more
>> information.
>>
>> How can I debug/fix this issue?
>>
> Hi Robert I am not sure what is going on from the provided info. However
> we can manually work around this if needed.
>
> if you do
> sudo apparmor_parser -r usr.sbin.httpd2-prefork
>
> does it succeed?
No, same error:
# apparmor_parser -r usr.sbin.httpd2-prefork
AppArmor parser error for usr.sbin.httpd2-prefork in
/etc/apparmor.d/tunables/home at line 16: syntax error, unexpected
TOK_EQUALS, expecting TOK_MODE
>
> To manually put the profile in enforce mode, you need to make sure it is
> not tagged as being in complain mode. This can be done by setting a
> symlink in /etc/apparmor.d/force-complain or by directly setting the
> flag in the profile file. Eg.
>
> /etc/apparmor.d/usr.sbin.httpd2-prefork
I guess I would break more stuff my manually putting the profile in
enforce mode if it's not parseable ...
Thanks,
Robert
--
http://robert.muntea.nu/
More information about the AppArmor
mailing list