> c0n7r4 (c0n7r4) wrote:
> apparmor="AUDIT"
AUDIT events happen if your profile has a rule like
audit /tmp/tempfile/ r,
and the program is then really doing something that needs this rule (like
getting a directory listing for /tmp/tempfile/).
"audit" means that the action is allowed (but gets logged every time),
so there's nothing aa-logprof should ask about.
So for AUDIT events, aa-logprof works as expected - those things are
already allowed, so there's nothing to ask ;-)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1399027
Title:
logparser doesn't understand /var/log/messages format
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
[impact]
This bug causes tools that use libapparmor to parse syslog and other
logs for apparmor rejections to fail to recognize apparmor events.
[steps to reproduce]
[regression potential]
The patch for this issue is confined to the log parsing portion of
the libapparmor library. Breakages occurring here would most likely
prevent tools that help assist the management of apparmor policy
from working; apparmor mediation would not be impacted. libapparmor
does provide other functionality, mostly around the aa_change_hat(3)
and aa_change_profile(3) calls; an entirely broken library could cause
issues for applications that make use of these from working correctly;
however, there are tests available in the upstream package that get
invoked by the lp:qa-regression-testing test-apparmor.py script that
ensure these continue to function.
[original description]
log parsing (part of libapparmor, used by aa-logprof and aa-genprof) doesn't
understand the format in /var/log/messages, which means it doesn't find any
events in it.
IIRC I've seen a similar report for the ubuntu syslog format on IRC.
Example log line from openSUSE:
2014-06-09T20:37:28.975070+02:00 geeko kernel: [21028.143765]
type=1400 audit(1402339048.973:1421): apparmor="ALLOWED"
operation="open" profile="/home/cb/linuxtag/apparmor/scripts/hello"
name="/dev/tty" pid=14335 comm="hello" requested_mask="rw"
denied_mask="rw" fsuid=1000 ouid=0
(Workaround: use auditd / audit.log)
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1399027/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
