Apparmor enforce mode not enforcing all profiles

Bug #1459771 reported by Newaye
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

I'm having difficulties transferring over all my apparmor profiles into enforcing mode, (sudo aa-enforce /etc/apparmor.d/*) For some reason, when I enter them in manually one at a time it works however its still buggy with certain profiles that are listed in complain mode. Any help would be appreciated. I've copied over the terminal error messages with codes. See below.

netuser-pc@netuser-pc:~$ sudo aa-enforce /etc/apparmor.d/*
Profile for /etc/apparmor.d/abstractions not found, skipping
Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 30, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 153, in cmd_enforce
    apparmor.read_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2564, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2590, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2843, in parse_profile_data
    store_list_var(filelist[file]['lvar'], list_var, value, var_operation)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3274, in store_list_var
    raise AppArmorException(_('An existing variable redefined: %s') % list_var)
apparmor.common.AppArmorException: 'An existing variable redefined: @{MOZ_LIBDIR}'

Copy of 20 profiles in complain mode that need to be altered to enforce. See below.

20 profiles are in complain mode.
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nscd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping

Any ideas?

-Newaye

Revision history for this message
Seth Arnold (seth-arnold) wrote :

A fix for this issue is in progress: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1449769

In the meantime you can hand-edit the policies to remove the complain flag and reload them with apparmor_parser --replace /etc/apparmor.d/...

Sorry for the inconvenience.

information type: Private Security → Public
Revision history for this message
Newaye (ndanielishere) wrote :

I'm all set. Latest patch apparently fixed this issue. We're good to go. Thanks.

-Newaye

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.