Well, maybe things are even more interesting: - the log message doesn't specify the len, so a socket name ending with \0 _will_ cause trouble - for some reason, the log line above gets parsed as AA_RECORD_INVALID:
START File: testcase_syslog_unix_01.in Event type: AA_RECORD_INVALID Audit ID: 1450687759.549:3582 Operation: connect Mask: send receive connect Denied Mask: send connect Profile: /usr/sbin/cupsd Command: cupsd PID: 6049 Network family: unix Socket type: stream Protocol: ip Epoch: 1450687759 Audit subid: 3582 - the peer address isn't included in the parsed log - but that might be a side effect and/or reason for AA_RECORD_INVALID -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1528778 Title: aa-logprof doesn't support unix rules/events Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: aa-logprof ignores denied messages in kern.log. Logs sended to apparmor [at] cboltz.de. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: apparmor 2.10-0ubuntu6 ProcVersionSignature: Ubuntu 4.2.0-21.25-generic 4.2.6 Uname: Linux 4.2.0-21-generic x86_64 ApportVersion: 2.19.1-0ubuntu5 Architecture: amd64 Date: Wed Dec 23 09:22:44 2015 InstallationDate: Installed on 2014-04-19 (612 days ago) InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Release amd64 (20140416.2) ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.2.0-21-generic root=/dev/mapper/ubuntu-root ro splash elevator=cfq nomdmonddf nomdmonisw crashkernel=384M-:128M SourcePackage: apparmor Syslog: UpgradeStatus: Upgraded to wily on 2015-11-14 (38 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1528778/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp