[Apparmor-general] "alias" not supported on 11.0?
John Johansen
jjohansen at suse.de
Mon Sep 15 17:20:36 MDT 2008
Christian Boltz wrote:
> Hello,
>
> I tried the following line in tunables/global:
>
> alias /tmp/ -> /home/tmp/,
>
> The result is:
> AppArmor parser error in /etc/apparmor.d/usr.sbin.ntpd at line 72:
> syntax error, unexpected TOK_ALIAS, expecting TOK_ID or TOK_COLON
>
aliases should work in the tunables file, however having tested this
there is a bug that requires them to appear before any variable
definitions (just opened it as bnc#426461)
> Did I do something wrong?
possibly but odds are on its the bug mentioned above
> Do I have to write these rules only to tunables/alias (which isn't
> included anywhere and doesn't exist yet)? (Will this file be used?)
No, they don't have to be there it was just a recommended standard
location. The file was supposed to be added but, it didn't happen for
various reasons.
> Or is the statement on
> http://en.opensuse.org/AppArmor/Changes_AppArmor_2_3#Alias_rules
> that 11.0 supports alias rules wrong?
>
No, though it is incomplete. Alias rules as currently implemented are
supposed to have the same basic limitations as variable definitions.
That is they must appear before a profile is defined. So you can define
them at the head of a file or in an include (like tunables/global) that
is included at the head of a profile.
However there is a bug in the parser that forces the aliases to appear
before variable definitions
> BTW: I see the same error message with the updated parser and utils
> package you (John) have sent me, so this might also affect 11.1...
>
Yep, the bugs in both, thankful it is very easy to fix
>
> Unrelated sidenote: please also have a look at bug 426159...
>
yes, its an interesting problem. I am looking for feed back on how best
to address this.
thanks
john
More information about the Apparmor-general
mailing list