On 05/29/2014 01:31 AM, Tyler Hicks wrote: > I'm surprised that this patch makes ausearch work correctly for AppArmor > AVC events. The first thing that parse_avc() does is look for the > "avc: " term in the AVCs that SELinux generates. AppArmor's AVCs don't > include that string, so an.avc_result and an.avc_perm would not be set, > would they?
That patch does "work" (tested w/ svn trunk). After I read your comment I looked at the code and I was confused also as 'avc_result == AVC_UNSET' but find_avc() which checks against UNSET isn't being called, rather the record gets selected for output by 'n = list_get_cur(l)' [ausearch-match.c:113]. I would need to spend more time to fully understand what is happening in the code. $ cat log type=AVC msg=audit(1390876383.602:15646): apparmor="DENIED" operation="open" parent=21147 profile="/tmp/ls" name="/var/log/audit/" pid=21598 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1390936201.188:15647): apparmor="ALLOWED" operation="file_lock" parent=7873 profile="/usr/sbin/sshd" name="/tmp/pam_krb5_tmp_FqhNDa" pid=7875 comm="sshd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 $ /tmp/audit/sbin/ausearch -m AVC -if ./log ---- time->Mon Jan 27 18:33:03 2014 type=AVC msg=audit(1390876383.602:15646): apparmor="DENIED" operation="open" parent=21147 profile="/tmp/ls" name="/var/log/audit/" pid=21598 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ---- time->Tue Jan 28 11:10:01 2014 type=AVC msg=audit(1390936201.188:15647): apparmor="ALLOWED" operation="file_lock" parent=7873 profile="/usr/sbin/sshd" name="/tmp/pam_krb5_tmp_FqhNDa" pid=7875 comm="sshd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 Without patch, ausearch just outputs "<no matches>" tony -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
