AppArmor

aa-complain cupsd produces traceback indicating error

Bug #1387775 reported by mike-g2 on 2014-10-30

This bug report is a duplicate of: Bug #1331856: apparmor-utils don't work when defining a variable on <tunables/home.d>. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

Running

$sudo aa-complain cupsd

Produces

Traceback (most recent call last):
  File "/usr/sbin/aa-complain", line 30, in <module>
    tool.cmd_complain()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 171, in cmd_complain
    apparmor.read_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2564, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2590, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2994, in parse_profile_data
    load_include(include_name)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 4520, in load_include
    incdata = parse_profile_data(data, incfile, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2994, in parse_profile_data
    load_include(include_name)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 4520, in load_include
    incdata = parse_profile_data(data, incfile, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2991, in parse_profile_data
    load_include(file_name)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 4520, in load_include
    incdata = parse_profile_data(data, incfile, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2839, in parse_profile_data
    store_list_var(profile_data[profile]['lvar'], list_var, value, var_operation)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3279, in store_list_var
    raise AppArmorException(_('Values added to a non-existing variable: %s') % list_var)
apparmor.common.AppArmorException: 'Values added to a non-existing variable: @{HOMEDIRS}'

Background: I am running 14.04 on a x86_64 machine (a MacPro 3,1) and trying to install some Brother printer drivers. Kernel is3.13.0-36-generic #63-Ubuntu SMP . My original /etc/apparmor.d/tunables/home file looked like

----------------------------------------------------------------------------------------------------------------------------
# ------------------------------------------------------------------
#
# Copyright (C) 2006-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# @{HOME} is a space-separated list of all user home directories. While
# it doesn't refer to a specific home directory (AppArmor doesn't
# enforce discretionary access controls) it can be used as if it did
# refer to a specific home directory
@{HOME}=@{HOMEDIRS}/*/ /root/

# @{HOMEDIRS} is a space-separated list of where user home directories
# are stored, for programs that must enumerate all home directories on a
# system.
@{HOMEDIRS}=/home/

# Also, include files in tunables/home.d for site-specific adjustments to
# @{HOMEDIRS}.
#include <tunables/home.d>
--------------------------------------------------------------------------------------------------------------------------------
The set up of this file didn't make sense given that HOMEDIRS is invoked before it is defined so I reordered the commands and replaced /etc/apparmor.d/tunables/home with the following file

--------------------------------------------------------------------------------------------------------------------------------
# ------------------------------------------------------------------
#
# Copyright (C) 2006-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# @{HOMEDIRS} is a space-separated list of where user home directories
# are stored, for programs that must enumerate all home directories on a
# system.
@{HOMEDIRS}=/home/

# Also, include files in tunables/home.d for site-specific adjustments to
# @{HOMEDIRS}.
# mikeg: removed commenting on 10/30/14 but it produced some errors.
#include <tunables/home.d>

# mikeg: copied text from above 10/30/2014 since it calls @HOMEDIRS
# this seemed to fix the problem with aa-complain cupsd
#
# @{HOME} is a space-separated list of all user home directories. While
# it doesn't refer to a specific home directory (AppArmor doesn't
# enforce discretionary access controls) it can be used as if it did
# refer to a specific home directory
@{HOME}=@{HOMEDIRS}/*/ /root/

Tags:

Revision history for this message

Christian Boltz (cboltz) wrote on 2014-10-30:

The error message indicates that you _add_ something to @{HOMEDIRS} before it's defined, for example
@{HOMEDIRS}+=/foo/ # notice the +=

Please paste the result of grep -r HOMEDIRS /etc/apparmor.d/

BTW: Which AppArmor version are you using?

tags:

added: aa-tools

Revision history for this message

mike-g2 (mikeg-utk) wrote on 2014-10-30:

Output from

$ sudo grep -r HOMEDIRS /etc/apparmor.d/
/etc/apparmor.d/abstractions/bash: @{HOMEDIRS} r,
/etc/apparmor.d/abstractions/base: owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
/etc/apparmor.d/tunables/home:#@{HOME}=@{HOMEDIRS}/*/ /root/
/etc/apparmor.d/tunables/home:# @{HOMEDIRS} is a space-separated list of where user home directories
/etc/apparmor.d/tunables/home:@{HOMEDIRS}=/home/
/etc/apparmor.d/tunables/home:# @{HOMEDIRS}.
/etc/apparmor.d/tunables/home:# mikeg: copied text from above 10/30/2014 since it calls @HOMEDIRS
/etc/apparmor.d/tunables/home:@{HOME}=@{HOMEDIRS}/*/ /root/
/etc/apparmor.d/tunables/home.d/ubuntu:# here are appended to @{HOMEDIRS}. See tunables/home for details.
/etc/apparmor.d/tunables/home.d/ubuntu:@{HOMEDIRS}+=/export/home/

Regarding which version, I can't figure out how to determine the version from the command line, but looking at the deb package it says
Version: 2.8.95~2430-0ubuntu5

Revision history for this message

Christian Boltz (cboltz) wrote on 2014-10-30:

/etc/apparmor.d/tunables/home:@{HOMEDIRS}=/home/
/etc/apparmor.d/tunables/home.d/ubuntu:@{HOMEDIRS}+=/export/home/

You hit a known bug - see bug 1331856 for details.

Workaround: comment the line in tunables/home.d/ubuntu and add /export/home directly in tunables/home

Revision history for this message

mike-g2 (mikeg-utk) wrote on 2014-10-31:

Thanks Christian. For anyone else having this problem, here's a copy of /etc/apparmor.d/tunables/home that worked for me

# ------------------------------------------------------------------
#
# Copyright (C) 2006-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# @{HOMEDIRS} is a space-separated list of where user home directories
# are stored, for programs that must enumerate all home directories on a
# system.
@{HOMEDIRS}=/home/ /export/home/

# Also, include files in tunables/home.d for site-specific adjustments to
# @{HOMEDIRS}.
# mikeg: removed commenting on 10/30/14 but it produced some errors.
#include <tunables/home.d>

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1331856 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.