On 06/03/2014 07:47 AM, Steve Grubb wrote: > Yep. So, the question is really how to fix this. Should we have a different > function that is swung in with #ifdef WITH_APPARMOR called parse_aa_avc? Then > it can be tuned exactly for AppArmor's needs? Later, the kernel event number > can be changed and the switch/case can pick that up. Also, are there other AA > events that are missing in action? The ausearch-test should tell you.
We'll take the patch (locally) for SLES. Seems to me, since there really isn't any AppArmor awareness in audit at present that the AppArmor developers may as well fix the kernel event numbering first, audit userspace after that .... anyhow, I see no point considering the previous patch for upstreaming. Thanks Tony -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
