1

I'm new to AppArmor. I'm trying to create a more restrictive AppArmor configuration for my plex server. I used chatgpt to walk me through this process, but it has seemingly broken my AppArmor install altogether.

Steps so far:

  1. It had me install the following: sudo apt install apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
  2. It had me create a pretty standard apparmor profile
  3. It had me run sudo apparmor_parser -r /etc/apparmor.d/docker-plex
  4. The offending line calls <include tunables/global> to which I get the following output: AppArmor parser error for /etc/apparmor.d/docker-plex in profile /etc/apparmor.d/tunables/home at line 15: syntax error, unexpected TOK_EQUALS, expecting TOK_MODE
  5. When I look in tunables/home at line 15, I see the following @{HOMEDIRS}=/home/
  6. chatgpt says this formatting is correct and I shouldn't be getting this error, which make sense because it's a system file I've never touched
  7. Now apparmor fails on system start. Systemctl shows it failing because of the above error.

No idea what's going on here. I've spent quite a few hours on this problem and have gotten nowhere. Any help is appreciated.

Other info: I'm on the latest Debian 13.1 and it's a fresh install

Improve this question
1
  • Lesson learned: Do not use LLMs without verification from an expert HUMAN. Commented Oct 14 at 9:35

1 Answer 1

Reset to default
2

The error message suggests the inclusion happens in a context that requires specifying the permissions that should apply when the binary the profile applies to is trying to access the directories referred to, but instead it's encountering something that tries to adjust the set of directories @{HOMEDIRS} refers to.

I'm guessing that you've probably misplaced the include <tunables/global> line: it should be before the profile ... { ... } group, not within it.

If we could see the apparmor profile you've written, there would be no need for guessing. If e.g. the names of files and/or directories are sensitive, feel free to replace them with generic ones, but please choose them so that we can still understand whether a pathname is supposed to refer to an executable file, non-executable file, or a directory.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.