Error message regarding @{exec_path} about apparmor.d HOT 16 CLOSED

Partial installation is supported too. There is a new way to do partial install too, see the readme

This is absolutely great! I haven't tested a full install for my EOS system on Virtualbox yet but I installed some selected profiles on my main machine - and it's working like a breeze 💯 Great work - thanks a lot! I started sponsoring your work.

from apparmor.d.

Hi, Could you try again from the last commit. I cleaned up a bit the pick script. It is not the most well tested way to install profile as I mostly focus on the distribution package. But it should work fine (i was not able to reproduce your issue). I develop this project on arch too ;)

This error message suggest that the profile has no profile name. So, could you ensure the profiles have this following header structure:

@{exec_path} = /{usr/,}bin/keepassxc-proxy
profile keepassxc-proxy @{exec_path} flags=(complain ) {

from apparmor.d.

Hi, Could you try again from the last commit. I cleaned up a bit the pick script.

Yes, indeed! I had forgotten to mention that in the previous version the second @{libexec} line for Debian in ...tunables/extend was not removed leading to another error message. So I did that manually - but this is fixed now!

This error message suggest that the profile has no profile name. So, could you ensure the profiles have this following header structure:

{exec_path} = /{usr/,}bin/keepassxc-proxy
profile keepassxc-proxy @{exec_path} flags=(complain ) {

It looks like this:

@{exec_path} = /{usr/,}bin/keepassxc-proxy
profile keepassxc-proxy @{exec_path} {

Unfortunately, above error message still occurs. As a test I installed the zram-generatorprofile. When I try to set it in complain mode I get the error:

ERROR: Profile for @{exec_path} exists in /etc/apparmor.d/systemd-journald and /etc/apparmor.d/systemd-logind

and the change to complain mode for that profile is not accepted.

EDIT: This error is also shown if I try to execute aa-logprof. It doesn't show up if aa-log is executed, though.

from apparmor.d.

I you sure you reload apparmor with systemctl restart apparmor? Tools like aa-logprof, aa-enforce... are known to break with this project structure. (cf #6)

Also can you try to set the complain mode manually adding flags=(complain) to the profile header?

from apparmor.d.

When I try to set it in complain mode I get the error:

What command exactly do you use?

from apparmor.d.

I you sure you reload apparmor with systemctl restart apparmor? Tools like aa-logprof, aa-enforce... are known to break with this project structure. (cf #6)

Yes, that explains that problem.

Also can you try to set the complain mode manually adding flags=(complain) to the profile header?

Yes, that works. Going without aa-complain and aa-enforce is not that problematic (as long as one doesn't want to switch the mode for a lot of profiles). But I'm not willing to go without aa-logprof. aa-log is nice and well - but I don't want to give up interactively adding rules with aa-logprof.

So, unfortunately, right now I cannot make use of this project as intended. The only way acceptable for me is adding specific profiles and manually removing @{exec_path}. I hope that upstream resolves that problem in the foreseeable future.

from apparmor.d.

Fixed by 603491a

from apparmor.d.

Thanks - but how is that supposed to work? As a test I installed 2 profiles with

sudo ./pick xdg-permission-store xdg-document-portal

and still got

ERROR: Profile for @{exec_path} exists in /etc/apparmor.d/xdg-document-portal and /etc/apparmor.d/xdg-permission-store

when executing, e.g., aa-complain.

EDIT: I also performed a full install in EndeavourOS in Virtualbox. After completion and running sudo aa-logprof I got

ERROR: Profile for @{exec_path} exists in /etc/apparmor.d/zsysd and /etc/apparmor.d/zsys-system-autosnapshot

similar to above.

from apparmor.d.

The pick script does not support this (yet). Regarding the full install, you may have to ensure to properly clean your /etc/apparmor.d directory first. For this, do a apt purge apparmor.d and ensure all the profiles your added manually are removed (as they may still use the @{exec_path}). Then you can install again apparmor.d.

They are also a few issues as you can see in the Github Action. I am still investigating, as my local tests on VMs work fine.

from apparmor.d.

The pick script does not support this (yet).

Okay, eagerly waiting for it 👍

Regarding the full install, you may have to ensure to properly clean your /etc/apparmor.d directory first. For this, do a apt purge apparmor.d and ensure all the profiles your added manually are removed (as they may still use the @{exec_path}). Then you can install again apparmor.d.

I don't think that explains it. It was actually a new installation of EndeavourOS (with KDE Plasma) in a Virtualbox VM with only the standard profiles from the apparmor package and no manually added profiles.

(Sidenote: After rebooting EOS I couldn't get to the login screen - rather, the screen remained black and I had to switch to a TTY with Ctrl-Alt+F3. Since aa-logprof doesn't work and aa-log produced countless entries I haven't had the opportunity yet to find the culprit. Perhaps related to Plasma not being supported ... )

from apparmor.d.

Nevertheless I removed apparmor.d by executing

sudo pacman -Rns apparmor.d-git

rebooted and installed it again but with no success. Above errors remained.

from apparmor.d.

This time it should be fixed.

from apparmor.d.

Partial installation is supported too. There is a new way to do partial install too, see the readme

from apparmor.d.

Also, forgot to mention. KDE is not supported, so there is no way this work out of the box on KDE Plasma. (Adding support for a DE is a LOT of work)

from apparmor.d.

Also, forgot to mention. KDE is not supported, so there is no way this work out of the box on KDE Plasma. (Adding support for a DE is a LOT of work)

Yes, I know! My remark was not meant to be a critique! I hope that I will be able to offer some PRs in the future.

from apparmor.d.

Wow, Thanks a lot.

from apparmor.d.