[apparmor] Apparmor parser error ... syntax error, unexpected TOK_EQUALS, expecting TOK_MODE
John Johansen
john.johansen at canonical.com
Tue Sep 22 08:00:22 UTC 2015
On 09/22/2015 12:19 AM, Robert Munteanu wrote:
> On Tue, Sep 22, 2015 at 10:02 AM, John Johansen
> <john.johansen at canonical.com> wrote:
>> On 09/21/2015 11:35 PM, Robert Munteanu wrote:
>>> Hi John,
>>>
>>> On Tue, Sep 22, 2015 at 12:11 AM, John Johansen
>>> <john.johansen at canonical.com> wrote:
>>>> On 09/21/2015 07:33 AM, Robert Munteanu wrote:
>>>>> Hi,
>>>>>
>>>>> I'm running apparmor 2.9.1, Kernel 3.16.7-24-default on openSUSE 13.2
>>>>> x86_64. During my attempts to configure and enable apparmor I hit a
>>>>> roadblock which I can't get out of. I created a
>>>>> usr.sbin.httpd2-prefork profile to match the apache installation from
>>>>> openSUSE. ( see diff at the end, I can find nothing relevant ).
>>>>>
>>>>> Trying to put the module into enforce mode leads to an error parsing
>>>>> /etc/apparmor.d/tunables/home:
>>>>>
>>>>> # aa-enforce usr.sbin.httpd2-prefork
>>>>> Setting /etc/apparmor.d/usr.sbin.httpd2-prefork to enforce mode.
>>>>> Traceback (most recent call last):
>>>>> File "/usr/sbin/aa-enforce", line 30, in <module>
>>>>> tool.cmd_enforce()
>>>>> File "/usr/lib/python3.4/site-packages/apparmor/tools.py", line 166,
>>>>> in cmd_enforce
>>>>> raise apparmor.AppArmorException(cmd_info[1])
>>>>> apparmor.common.AppArmorException: 'AppArmor parser error for
>>>>> /etc/apparmor.d/usr.sbin.httpd2-prefork in
>>>>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected
>>>>> TOK_EQUALS, expecting TOK_MODE\n'
>>>>>
>>>>> The tunables/home file is unchanged.
>>>>>
>>>>> This looks a lot like
>>>>> https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1487536 , but
>>>>> I don't have an ubuntu machine to use apport for adding more
>>>>> information.
>>>>>
>>>>> How can I debug/fix this issue?
>>>>>
>>>> Hi Robert I am not sure what is going on from the provided info. However
>>>> we can manually work around this if needed.
>>>>
>>>> if you do
>>>> sudo apparmor_parser -r usr.sbin.httpd2-prefork
>>>>
>>>> does it succeed?
>>>
>>> No, same error:
>>>
>>> # apparmor_parser -r usr.sbin.httpd2-prefork
>>> AppArmor parser error for usr.sbin.httpd2-prefork in
>>> /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected
>>> TOK_EQUALS, expecting TOK_MODE
>>>
>>>>
>>>> To manually put the profile in enforce mode, you need to make sure it is
>>>> not tagged as being in complain mode. This can be done by setting a
>>>> symlink in /etc/apparmor.d/force-complain or by directly setting the
>>>> flag in the profile file. Eg.
>>>>
>>>> /etc/apparmor.d/usr.sbin.httpd2-prefork
>>>
>>> I guess I would break more stuff my manually putting the profile in
>>> enforce mode if it's not parseable ...
>>>
>> can you attach the output of
>> apparmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork
>>
>> that will give us a flattened dump of the profile with all its includes expanded
>
> Sure, attached. I find it strange that the output ends with a
>
> @{HOME}=
>
> line, which would explain the error. However, I don't have such a line
> in my /etc/apparmor.d directory
>
So this is an artifact of how the parser is processing variables.
The defines are read and partially processed during the preprocessing phase of
the parse and it is choking on @{HOME}= being assigned inside of the profile
scope (currently vars can only be defined in the header).
What you need to look for is a file in <apache2.d> that is including
<tunables/global>
More information about the AppArmor
mailing list