On 06/18/2018 09:21 PM, appar...@raf.org wrote:
> Hi,
>
> I'm upgrading from debian8/apparmor-2.9.0 to
> debian9/apparmor-2.11.0 and am seeing an error message
> when using aa-complain and aa-enforce (but not when using
> apparmor_parser).
>
> # aa-enforce usr.sbin.apache2
> ERROR: Profile /usr/sbin/apache2^indexcgi defined twice in
> /etc/apparmor.d/usr.sbin.apache2, last found in line 89
>
> # aa-complain usr.sbin.apache2
> ERROR: Profile /usr/sbin/apache2^indexcgi defined twice in
> /etc/apparmor.d/usr.sbin.apache2, last found in line 89
>
The tools have never properly supported nesting beyond a single
child. I assume some of the refactoring to clean them up broke
this for you
> Strangely, loading it with "apparmor_parser -r usr.sbin.apache2"
> is silent, exits with 0, and the profiles are all loaded.
> aa-status shows:
>
> /usr/sbin/apache2
> /usr/sbin/apache2//indexcgi
> /usr/sbin/apache2//indexcgi//enscript
> /usr/sbin/apache2//indexcgi//mutt
> /usr/sbin/apache2//indexcgi//mutt//exim4
> /usr/sbin/apache2//officecgi
>
The apparmor_parser atm uses a different parsing engine (its a
long term goal to move the parsing to a shared lib
> But removing it with "apparmor_parser -R usr.sbin.apache2",
> produces:
>
> apparmor_parser: Unable to remove "/usr/sbin/apache2//indexcgi//enscript".
> Profile doesn't exist
>
:( , that should work. Looks like a bug
> The structure of the /etc/apparmor.d/usr.sbin.apache2 is:
>
> /usr/sbin/apache2 {
> ...
> /var/vwebsites/example.com/index.cgi rCx -> indexcgi,
> /var/vwebsites/example.com/office/index.cgi rCx -> officecgi,
> profile indexcgi {
> ...
> /usr/bin/enscript Px -> /usr/sbin/apache2//indexcgi//enscript,
> /usr/bin/mutt Px -> /usr/sbin/apache2//indexcgi//mutt,
> }
> profile officecgi {
> ...
> }
> }
> profile /usr/sbin/apache2//indexcgi//mutt { # this is line 89
> ...
> /usr/sbin/exim4 Px -> /usr/sbin/apache2//indexcgi//mutt//exim4,
> }
> profile /usr/sbin/apache2//indexcgi//mutt//exim4 {
> ...
> }
> profile /usr/sbin/apache2//indexcgi//enscript {
> ...
> }
>
thanks we will have to make sure to setup some tests around this
> The line 89 referred in the error message is the line
> where the profile /usr/sbin/apache2//indexcgi//mutt is
> defined (even though it's saying that that's where the
> previous definition of the /usr/sbin/apache2//indexcgi
> profile occurred).
>
> Is there something wrong with the above?
> Has the syntax changed for nested profiles?
>
no it hasn't, the code has been slowly being cleaned up and
you have found a regression
> I originally tried to put the last three profiles inside
> the parent profile but that syntax wasn't supported at the time
> and I was advised to do it this way.
>
correct more than a single level of nesting is not supported yet
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
