AppArmor

Profile does not accept variables in its name

Bug #1531044 reported by Pedro Ribeiro on 2016-01-05

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

I have a tunables/sdb file that is defined as such:
@{SDB} = "/media/msata"

Then I include this file in one of my profiles:
#include <tunables/global>
#include <tunables/sdb>

@{SDB}/plex/usr/sbin/start_pms {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/user-write>

capability setgid,
capability setuid,

@{SDB}/plex/** rwlkPix,
"@{SDB}/Movies/**" r,

(...)

When parsing the profile above, apparmor will fail with:
apparmor[30579]: AppArmor parser error for /etc/apparmor.d/plex_media_server in /etc/apparmor.d/plex_media_server at line 35: Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'.

Variables should be accepted as part of a profile name - this will make scalability / maintenance much easier.

Tags:

Revision history for this message

Pedro Ribeiro (pedrib) wrote on 2016-01-05:

Just to clarify, if I change the profile name to
/media/msata/plex/usr/sbin/start_pms

The profile will load fine and apparmor won't complain any more.

Revision history for this message

Christian Boltz (cboltz) wrote on 2016-01-05:

Variables are valid in the profile name, however they are not accepted at the beginning of the profile name (which is a bug).

Workaround: do as the error message tells you ;-) - /@{SDB}/plex/usr/sbin/start_pms works (note the added / in front of the variable)

tags:

added: aa-parser

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.