[apparmor] Apparmor parser error ... syntax error, unexpected TOK_EQUALS, expecting TOK_MODE
John Johansen
john.johansen at canonical.com
Tue Sep 22 07:02:59 UTC 2015
On 09/21/2015 11:35 PM, Robert Munteanu wrote:
> Hi John,
>
> On Tue, Sep 22, 2015 at 12:11 AM, John Johansen
> <john.johansen at canonical.com> wrote:
>> On 09/21/2015 07:33 AM, Robert Munteanu wrote:
>>> Hi,
>>>
>>> I'm running apparmor 2.9.1, Kernel 3.16.7-24-default on openSUSE 13.2
>>> x86_64. During my attempts to configure and enable apparmor I hit a
>>> roadblock which I can't get out of. I created a
>>> usr.sbin.httpd2-prefork profile to match the apache installation from
>>> openSUSE. ( see diff at the end, I can find nothing relevant ).
>>>
>>> Trying to put the module into enforce mode leads to an error parsing
>>> /etc/apparmor.d/tunables/home:
>>>
>>> # aa-enforce usr.sbin.httpd2-prefork
>>> Setting /etc/apparmor.d/usr.sbin.httpd2-prefork to enforce mode.
>>> Traceback (most recent call last):
>>> File "/usr/sbin/aa-enforce", line 30, in <module>
>>> tool.cmd_enforce()
>>> File "/usr/lib/python3.4/site-packages/apparmor/tools.py", line 166,
>>> in cmd_enforce
>>> raise apparmor.AppArmorException(cmd_info[1])
>>> apparmor.common.AppArmorException: 'AppArmor parser error for
>>> /etc/apparmor.d/usr.sbin.httpd2-prefork in
>>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected
>>> TOK_EQUALS, expecting TOK_MODE\n'
>>>
>>> The tunables/home file is unchanged.
>>>
>>> This looks a lot like
>>> https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1487536 , but
>>> I don't have an ubuntu machine to use apport for adding more
>>> information.
>>>
>>> How can I debug/fix this issue?
>>>
>> Hi Robert I am not sure what is going on from the provided info. However
>> we can manually work around this if needed.
>>
>> if you do
>> sudo apparmor_parser -r usr.sbin.httpd2-prefork
>>
>> does it succeed?
>
> No, same error:
>
> # apparmor_parser -r usr.sbin.httpd2-prefork
> AppArmor parser error for usr.sbin.httpd2-prefork in
> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected
> TOK_EQUALS, expecting TOK_MODE
>
>>
>> To manually put the profile in enforce mode, you need to make sure it is
>> not tagged as being in complain mode. This can be done by setting a
>> symlink in /etc/apparmor.d/force-complain or by directly setting the
>> flag in the profile file. Eg.
>>
>> /etc/apparmor.d/usr.sbin.httpd2-prefork
>
> I guess I would break more stuff my manually putting the profile in
> enforce mode if it's not parseable ...
>
can you attach the output of
apparmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork
that will give us a flattened dump of the profile with all its includes expanded
More information about the AppArmor
mailing list