> c0n7r4 (c0n7r4) wrote:
> apparmor="AUDIT"

AUDIT events happen if your profile has a rule like
    audit /tmp/tempfile/ r,
and the program is then really doing something that needs this rule (like 
getting a directory listing for /tmp/tempfile/).

"audit" means that the action is allowed (but gets logged every time),
so there's nothing aa-logprof should ask about.

So for AUDIT events, aa-logprof works as expected - those things are
already allowed, so there's nothing to ask ;-)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1399027

Title:
  logparser doesn't understand /var/log/messages format

Status in AppArmor:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  [impact]

  This bug causes tools that use libapparmor to parse syslog and other
  logs for apparmor rejections to fail to recognize apparmor events.

  [steps to reproduce]

  [regression potential]

  The patch for this issue is confined to the log parsing portion of
  the libapparmor library. Breakages occurring here would most likely
  prevent tools that help assist the management of apparmor policy
  from working; apparmor mediation would not be impacted. libapparmor
  does provide other functionality, mostly around the aa_change_hat(3)
  and aa_change_profile(3) calls; an entirely broken library could cause
  issues for applications that make use of these from working correctly;
  however, there are tests available in the upstream package that get
  invoked by the lp:qa-regression-testing test-apparmor.py script that
  ensure these continue to function.

  [original description]
   
  log parsing (part of libapparmor, used by aa-logprof and aa-genprof) doesn't 
understand the format in /var/log/messages, which means it doesn't find any 
events in it.

  IIRC I've seen a similar report for the ubuntu syslog format on IRC.

  Example log line from openSUSE:

  2014-06-09T20:37:28.975070+02:00 geeko kernel: [21028.143765]
  type=1400 audit(1402339048.973:1421): apparmor="ALLOWED"
  operation="open" profile="/home/cb/linuxtag/apparmor/scripts/hello"
  name="/dev/tty" pid=14335 comm="hello" requested_mask="rw"
  denied_mask="rw" fsuid=1000 ouid=0

  (Workaround: use auditd / audit.log)

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1399027/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to