On 2016-04-25 17:47, Christian Boltz wrote:

> aa-logprof will read the log again every time you run it, which means it 
> sees the "old" event again.

I thought it used some kind of timestamp to only scan new events.

> I just checked the perl code. Besides being reminded why we wanted to 
> get rid of that ;-) I can probably explain what happens.
> This is from the code that parses the profile in /etc/apparmor.d:
>         } elsif 
> (m/^\s*(audit\s+)?(deny\s+)?capability(\s+(\S+))?\s*,\s*(#.*)?$/) {  # 
> capability entry
>             # [...]
>             my $capability = $3 ? $3 : 'all';
> If you start counting parenthesis, you'll notice that $1 is audit, $2 
> is deny and $3 is everything between the 'capability' keyword and the 
> comma. __Including the spaces!__ ($4 would be without spaces.)
> So aa-logprof knows the profile already contains the "   sys_resource" 
> (including the spaces!) capability, but the log tells it about the 
> "sys_resource" capability (without spaces), which is technically a 
> different one ;-)
> And to make things even more funny, a space gets added every time the
> profile gets written, which explains why your profile looks like stairs ;-)

I see :-)

> To get rid of the repeated questions, rotate the old audit.log away:
>     old /var/log/audit/audit.log   # will rename it to audit.log-$date
>     rcauditd restart

That's a new command for me, "old". However, the logfiles there have a
different rotate method:

Telcontar:/var/log/audit # ls
audit.log  audit.log.1  audit.log.2  audit.log.3  audit.log.4

No date stamp, so I can't use "old".

Mmmm, "rcauditd" does not exist. auditd.service  does.

Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)

Attachment: signature.asc
Description: OpenPGP digital signature

Evergreen mailing list

Reply via email to