Re: [apparmor] AVC type malformed

Fri, 09 Feb 2024 13:02:26 -0800 

On 2/9/24 10:53, cati55 wrote:

When apparmor logs events with audit type AVC, the logs cannot be found by 
usual audit tools because the entry is malformed as stated in this auditd 
bugreport
https://github.com/linux-audit/audit-userspace/issues/351#issuecomment-1932211875

To quite the maintainer:


If they are going to emit an access decision as an AVC, it has to exactly 
follow the format of an SE Linux AVC. The AppArmor kernel developers were given 
the AUDIT type block from 1500 to 1599 a long time ago so that they can format 
their events any way they wish. The AVC they are using is type number 1400. 
They should really define AUDIT_AA_DECISION 1500 (or whatever makes sense to 
AppArmor) and then use that.



The problem is, and this has been brought up before, apparmor used to use 1500. 
It was the id assigned to apparmor messages. Unfortunately that got changed on 
us to share selinux's 1400, and we were told to use that. This was done without 
changes to the message format and while apparmor messages can be made to be 
closer to the selinux format, apparmor messages will never fit entirely into 
the SE Linux AVC format.

I don't disagree that we should move back to 1500, we brought this up again 
about 5 years ago, and were basically told no


It took me a few days to figure this one out and that didn't make apparmor 
easier to debug. If there is anything in regards to testing I can help with to 
solve this bug, please let me know.



no it doesn't make doesn't make apparmor easier to debug. Really its a pita is 
you are used to using auditd, or some of the journalctl syntax around selinux. 
There are work around commands, and ways to cope but you have to learn them.

More than willing to take any help fixing this. It basically comes down to 
moving back to the 1500 range, which a small kernel patch, and getting auditd 
to take in support for it. It is something that we should wait on doing for a 
bit as we are making some changes to the apparmor format to make some of the 
fields more common. There are couple of odd was that need some improvement.

Reply via email to