[apparmor] Nested profile problem upgrading from apparmor-2.9.0 to apparmor-2.11.0

Mon, 18 Jun 2018 21:22:13 -0700 

Hi,

I'm upgrading from debian8/apparmor-2.9.0 to
debian9/apparmor-2.11.0 and am seeing an error message
when using aa-complain and aa-enforce (but not when using
apparmor_parser).

 # aa-enforce usr.sbin.apache2
 ERROR: Profile /usr/sbin/apache2^indexcgi defined twice in
   /etc/apparmor.d/usr.sbin.apache2, last found in line 89

 # aa-complain usr.sbin.apache2
 ERROR: Profile /usr/sbin/apache2^indexcgi defined twice in
   /etc/apparmor.d/usr.sbin.apache2, last found in line 89

Strangely, loading it with "apparmor_parser -r usr.sbin.apache2"
is silent, exits with 0, and the profiles are all loaded.
aa-status shows:

  /usr/sbin/apache2
  /usr/sbin/apache2//indexcgi
  /usr/sbin/apache2//indexcgi//enscript
  /usr/sbin/apache2//indexcgi//mutt
  /usr/sbin/apache2//indexcgi//mutt//exim4
  /usr/sbin/apache2//officecgi

But removing it with "apparmor_parser -R usr.sbin.apache2",
produces:

 apparmor_parser: Unable to remove "/usr/sbin/apache2//indexcgi//enscript".
   Profile doesn't exist

The structure of the /etc/apparmor.d/usr.sbin.apache2 is:

  /usr/sbin/apache2 {
    ...
    /var/vwebsites/example.com/index.cgi rCx -> indexcgi,
    /var/vwebsites/example.com/office/index.cgi rCx -> officecgi,
    profile indexcgi {
      ...
          /usr/bin/enscript Px -> /usr/sbin/apache2//indexcgi//enscript,
          /usr/bin/mutt     Px -> /usr/sbin/apache2//indexcgi//mutt,
    }
    profile officecgi {
      ...
    }
  }
  profile /usr/sbin/apache2//indexcgi//mutt { # this is line 89
    ...
    /usr/sbin/exim4 Px -> /usr/sbin/apache2//indexcgi//mutt//exim4,
  }
  profile /usr/sbin/apache2//indexcgi//mutt//exim4 {
    ...
  }
  profile /usr/sbin/apache2//indexcgi//enscript {
    ...
  }

The line 89 referred in the error message is the line
where the profile /usr/sbin/apache2//indexcgi//mutt is
defined (even though it's saying that that's where the
previous definition of the /usr/sbin/apache2//indexcgi
profile occurred).

Is there something wrong with the above?
Has the syntax changed for nested profiles?

I originally tried to put the last three profiles inside
the parent profile but that syntax wasn't supported at the time
and I was advised to do it this way.

cheers,
raf


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to