[apparmor] Apparmor parser error ... syntax error, unexpected TOK_EQUALS, expecting TOK_MODE
Robert Munteanu
robert.munteanu at gmail.com
Tue Sep 22 07:19:49 UTC 2015
On Tue, Sep 22, 2015 at 10:02 AM, John Johansen
<john.johansen at canonical.com> wrote:
> On 09/21/2015 11:35 PM, Robert Munteanu wrote:
>> Hi John,
>>
>> On Tue, Sep 22, 2015 at 12:11 AM, John Johansen
>> <john.johansen at canonical.com> wrote:
>>> On 09/21/2015 07:33 AM, Robert Munteanu wrote:
>>>> Hi,
>>>>
>>>> I'm running apparmor 2.9.1, Kernel 3.16.7-24-default on openSUSE 13.2
>>>> x86_64. During my attempts to configure and enable apparmor I hit a
>>>> roadblock which I can't get out of. I created a
>>>> usr.sbin.httpd2-prefork profile to match the apache installation from
>>>> openSUSE. ( see diff at the end, I can find nothing relevant ).
>>>>
>>>> Trying to put the module into enforce mode leads to an error parsing
>>>> /etc/apparmor.d/tunables/home:
>>>>
>>>> # aa-enforce usr.sbin.httpd2-prefork
>>>> Setting /etc/apparmor.d/usr.sbin.httpd2-prefork to enforce mode.
>>>> Traceback (most recent call last):
>>>> File "/usr/sbin/aa-enforce", line 30, in <module>
>>>> tool.cmd_enforce()
>>>> File "/usr/lib/python3.4/site-packages/apparmor/tools.py", line 166,
>>>> in cmd_enforce
>>>> raise apparmor.AppArmorException(cmd_info[1])
>>>> apparmor.common.AppArmorException: 'AppArmor parser error for
>>>> /etc/apparmor.d/usr.sbin.httpd2-prefork in
>>>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected
>>>> TOK_EQUALS, expecting TOK_MODE\n'
>>>>
>>>> The tunables/home file is unchanged.
>>>>
>>>> This looks a lot like
>>>> https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1487536 , but
>>>> I don't have an ubuntu machine to use apport for adding more
>>>> information.
>>>>
>>>> How can I debug/fix this issue?
>>>>
>>> Hi Robert I am not sure what is going on from the provided info. However
>>> we can manually work around this if needed.
>>>
>>> if you do
>>> sudo apparmor_parser -r usr.sbin.httpd2-prefork
>>>
>>> does it succeed?
>>
>> No, same error:
>>
>> # apparmor_parser -r usr.sbin.httpd2-prefork
>> AppArmor parser error for usr.sbin.httpd2-prefork in
>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected
>> TOK_EQUALS, expecting TOK_MODE
>>
>>>
>>> To manually put the profile in enforce mode, you need to make sure it is
>>> not tagged as being in complain mode. This can be done by setting a
>>> symlink in /etc/apparmor.d/force-complain or by directly setting the
>>> flag in the profile file. Eg.
>>>
>>> /etc/apparmor.d/usr.sbin.httpd2-prefork
>>
>> I guess I would break more stuff my manually putting the profile in
>> enforce mode if it's not parseable ...
>>
> can you attach the output of
> apparmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork
>
> that will give us a flattened dump of the profile with all its includes expanded
Sure, attached. I find it strange that the output ends with a
@{HOME}=
line, which would explain the error. However, I don't have such a line
in my /etc/apparmor.d directory
srv001:/etc/apparmor.d # grep -E '^@\{HOME' -R .
./tunables/home:@{HOME}=@{HOMEDIRS}/*/ /root/
./tunables/home:@{HOMEDIRS}=/home/
Thanks,
Robert
--
http://robert.muntea.nu/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpd-prefork-expanded
Type: application/octet-stream
Size: 76589 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150922/8bbe2b4c/attachment-0001.obj>
More information about the AppArmor
mailing list