[pkg-apparmor] Bug#1095741: apparmor.d/tunables/home syntax error renders apparmor unable to start

[Christian Boltz]

Hello,

Am Dienstag, 11. Februar 2025, 12:50 schrieb Richard:
> ther's some issue with the file /etc/apparmor.d/tunables/home. When
> trying to start the apparmor.service, it throws this error:
> 
> AppArmor parser error for /etc/apparmor.d in profile
> /etc/apparmor.d/tunables/home at line 15: syntax error, unexpected
> TOK_EQUALS, expecting TOK_MODE
> 
> 
> As requested in Bug#1089225, I'm attaching a copy of /etc/apparmor.d/.

The problem is in several of your local/* files. These files are meant to 
have some rules in them, random example local/foobar could have this 
content:

    /foo r,
    /bar rw,

(and nothing else)

However, several of your local/* files contain a full profile including 
headers. Now the local/* files get included inside the main profile (for 
example, sbin.dhclient includes local/sbin.dhclient) which means the
  include <tunables/global>
inside the local/* file gets included _inside_ the profile - and that's 
not allowed because variable definitions have to be in the header/
preamble.

Long story short: please fix your local/* files - for example by

grep -l '{$' local/* | while read file ; do
    echo '# now empty' > "$file"
done

Important: This will overwrite the content of several of your local/* 
files. Having a backup can't hurt ;-)


Oh, and there's nothing wrong with your tunables/ files ;-)


Regards,

Christian Boltz
-- 
Ultimately, I'm the one who has to respond to bug reports against
them and deal with any fallout, and I sleep pretty well.
[Jeff Mahoney in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20250211/3c650e32/attachment-0001.sig>