Unable to apply the AppArmor policy

Follow

Comments

6 comments

  • Avatar
    Israel Barragan

    I had check the configuration file and it is the same as you describe here, but I still having this issue when I reload the apparmor service:

    ╰─# service apparmor reload 
    * Reloading AppArmor profiles AppArmor parser error for /etc/apparmor.d/usr.lib.dovecot.dovecot-lda in /etc/apparmor.d/usr.lib.dovecot.dovecot-lda at line 45: Could not open 'abstractions/postfix-common'
    AppArmor parser error for /etc/apparmor.d/usr.sbin.mysqld in /etc/apparmor.d/usr.sbin.mysqld at line 47: syntax error, unexpected TOK_CLOSE, expecting TOK_END_OF_RULE
    Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
    AppArmor parser error for /etc/apparmor.d/usr.lib.dovecot.dovecot-lda in /etc/apparmor.d/usr.lib.dovecot.dovecot-lda at line 45: Could not open 'abstractions/postfix-common'
    AppArmor parser error for /etc/apparmor.d/usr.sbin.mysqld in /etc/apparmor.d/usr.sbin.mysqld at line 47: syntax error, unexpected TOK_CLOSE, expecting TOK_END_OF_RULE
    Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
    [fail]

    Do you have another clue?

  • Avatar
    Ivan Postnikov

    Hello @Israel, this error message means that there is syntax errors:

    1. Line 45 in /etc/apparmor.d/usr.lib.dovecot.dovecot-lda

    2. Line 47 in /etc/apparmor.d/usr.sbin.mysqld

    As a quick solution, try commenting corresponding lines.

    For more information check AppArmor documentation.

  • Avatar
    Israel Barragan

    Hi Ivan, thank you for your answer.

    By commenting the line 45 will not add any other error in the future? I have removed that line and the error stopped appearing.

    Also commenting line 47 did not work, that line was a closing curly braces. So I run the following command:

    # apparmor_parser -qp /etc/apparmor.d/usr.sbin.mysqld

    and helped me to find my error, I was missing the last comma on the file /etc/apparmor.d/local/usr.sbin.mysqld like you have it on the resolution, my bad on this.

    just wating for your confirmation in line 45 of the file /etc/apparmor.d/usr.lib.dovecot.dovecot-lda

    Regards.!!

  • Avatar
    Ivan Postnikov

    @Israel, as for the 1st error, make sure that

     /etc/apparmor.d/abstractions/postfix-common file exists, has correct permissions and the following content:

    # ls -l /etc/apparmor.d/abstractions/postfix-common
    -rw-r--r-- 1 root root 1105 Mar 16 08:11 /etc/apparmor.d/abstractions/postfix-common

    # cat /etc/apparmor.d/abstractions/postfix-common
    # ------------------------------------------------------------------
    #
    # Copyright (C) 2002-2005 Novell/SUSE
    # Copyright (C) 2015 Canonical, Ltd.
    #
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of version 2 of the GNU General Public
    # License published by the Free Software Foundation.
    #
    # ------------------------------------------------------------------
    # used with postfix/*


    capability setuid,
    capability setgid,
    capability sys_chroot,

    # postfix's master can send us signals
    signal receive peer=/usr/lib/postfix/master,

    unix (send, receive) peer=(label=/usr/lib/postfix/master),

    /etc/mailname r,
    /etc/postfix/*.cf r,
    /etc/postfix/*.db r,
    @{PROC}/net/if_inet6 r,
    /usr/lib/postfix/*.so mr,
    /usr/lib{,32,64}/sasl2/* mr,
    /usr/lib{,32,64}/sasl2/ r,
    /usr/lib/@{multiarch}/sasl2/* mr,
    /usr/lib/@{multiarch}/sasl2/ r,

    /var/spool/postfix/etc/* r,
    /var/spool/postfix/lib/lib*.so* mr,
    /var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
  • Avatar
    Israel Barragan

    Hi Ivan, I apologize for the late response, since commenting/removing the lines of code since to work I let the system running, but I could not leave the thread gone. I check what you said about the abstractions menu.

    /etc/apparmor.d/abstractions/postfix-common

    but apparently on my server I don't have that file. Any other suggestions besides commenting the line of code?

  • Avatar
    Ivan Postnikov

    Hello @Israel,

    Try to create it manually. The required permissions and content may be found in my previous reply.

Please sign in to leave a comment.

Have more questions? Submit a request