Apparmor service failing in debian-13-xfce template

dcartier · January 30, 2026, 12:23pm

It appears that recent updates to the debian-13-xfce template are causing the AppArmor service to fail to load. I noticed it when I switched my default-dvm to being a Debian based one, and the preloaded disposables all failed to load. When I investigated, I found that a DVM based on the Debian template that I launched 6 days ago, and still had open, had no issue, but a DVM launched today has the failure. Anyone else seeing this? Is this an upstream error or something in the Qubes updates that caused it?

I compared the file that it is showing as having a syntax error in, and it is identical between the working and non-working DVM. I should add, this is on R4.3.0

ludovic · January 30, 2026, 3:14pm

If you want help, you should provide the /etc/apparmor.d/tunables/home file content.

dcartier · January 30, 2026, 3:45pm

Sure here is the contents.

# ------------------------------------------------------------------
#
#    Copyright (C) 2006-2009 Novell/SUSE
#    Copyright (C) 2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# @{HOMEDIRS} is a space-separated list of where user home directories
# are stored, for programs that must enumerate all home directories on a
# system.
@{HOMEDIRS}=/home/

# @{HOME} is a space-separated list of all user home directories. While
# it doesn't refer to a specific home directory (AppArmor doesn't
# enforce discretionary access controls) it can be used as if it did
# refer to a specific home directory
@{HOME}=@{HOMEDIRS}/*/ /root/

# Also, include files in tunables/home.d for site-specific adjustments
include if exists <tunables/home.d>

As mentioned in my original post, the file in question is identical between the working and non-working instance. I also checked the AppArmor Debian packages and there were no changes to those in the template between launching the 2 instances.

ludovic · January 30, 2026, 6:19pm

I edited your post to change the formating (from quote post ‘>’ to text block with the ‘```’)

So the line 15 is :

@{HOMEDIRS}=/home/

What is the syntax error full message (truncated in your image screenshot) ?

dcartier · January 30, 2026, 8:33pm

The truncated line said “syntax error: unexpected TOK_EQUALS, expecting TOK_MODE”

ludovic · January 30, 2026, 10:19pm

You should follow this Debian forum related topic ( only a 3 days old topic …) :

https://forums.debian.net/viewtopic.php?t=165501

In my search, I found also other related entries…

The apparmor_parser -p option checks the syntax of the provided file as argument.

ludovic · January 30, 2026, 10:26pm

The Debian related issue reports a librewolf profile bug :

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126564

dcartier · January 31, 2026, 10:09am

Thanks for your help on this ludovic. It is indeed the librewolf bug that is the cause for me. It must have cropped up in the last few days. The DVM launched 8 days ago is running librewolf and the apparmor loads, and the recently launched one the apparmor fails until I move the librewolf profile away, and then apparmor loads.

I will move the librewolf profile out of the way in my template and wait for them to patch the issue.

dcartier · January 31, 2026, 12:49pm

OK, the way to fix it, is to delete the librewolf file in the /etc/apparmor.d/local directory, not the one in the /etc/apparmor.d directory. The version of the file in local is a mistake and should be removed.