** Description changed: + [ Impact ] + + * The following command should display all AVC denials: `ausearch --message AVC`; however, it doesn't work: + + ``` + yachie@virtual:/etc/apparmor.d$ ausearch --message AVC + <no matches> + ``` + + * Users currently must inspect `/var/log/audit.log` to find the missing AppArmor AVC events: + + ``` + yachie@virtual:/etc/apparmor.d$ sudo cat /var/log/audit.log + type=AVC msg=audit(1774470501.870:1117918): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/proc/2009624/cmdline" pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 FSUID="root" OUID="root" + type=AVC msg=audit(1774470501.927:1117919): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/proc/2009636/cmdline" pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 FSUID="root" OUID="root" + ``` + + * The root cause is that `ausearch` is checking for a `tclass` field in the AppArmor events, because the AppArmor is using event id `1400` (assigned to SELinux) instead of `1500`. + + * AppArmor events don't have a `tclass` field, so `ausearch` treats every AppArmor event as 'malformed' and hides them. We can reveal the 'malformed' events with the `--debug` flag: + + ``` + yachie@virtual:~$ ausearch --message AVC --debug + ( ... a ton of unrelated events ... ) + Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.176:616): apparmor="AUDIT" operation="change_onexec" class="file" info="change_profile unprivileged unconfined converted to stacking" profile="unconfined" name="lsb_release" pid=5443 comm="aa-exec" + Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:617): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/nsswitch.conf" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 + Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:618): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/passwd" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 + Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:619): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/bash.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 + Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:620): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/home/yachie/.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 + Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:621): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 + Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:622): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 + Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:623): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/inputrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 + <no matches> + ``` + + * This bug makes `auditd` very difficult to use on Ubuntu: having the `auditd` package installed hides AVC events from the kernel log AND `ausearch` doesn't reveal them, making AppArmor events seemingly vanish unless you know where to look. + + [ Test plan ] + + # Install the relevant packages + 1. sudo apt install apparmor auditd + + # Run the reproducer + 2. aa-exec --profile=lsb_release bash # generates a ton of denials; see below: + ``` + root@jammy-vm:~# aa-exec --profile lsb_release bash + bash: /etc/bash.bashrc: Permission denied + bash: /root/.bashrc: Permission denied + bash-5.1# + exit + ``` + + # Run `ausearch` and search for AVC events + 3. ausearch --message AVC + + 3a. Unpatched package output (fail): + ``` + root@jammy-vm:~# ausearch --message AVC + <no matches> + ``` + + 3b. Patched package output (success): + ``` + root@jammy-vm:~# ausearch --message AVC + ---- + time->Tue Jul 14 21:03:18 2026 + type=PROCTITLE msg=audit(1784062998.789:100): proctitle="bash" + type=SYSCALL msg=audit(1784062998.789:100): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f6a7274c150 a2=80000 a3=0 items=0 ppid=562 pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=lsb_release key=(null) + type=AVC msg=audit(1784062998.789:100): apparmor="DENIED" operation="open" profile="lsb_release" name="/etc/nsswitch.conf" pid=3449 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + ---- + time->Tue Jul 14 21:03:18 2026 + type=PROCTITLE msg=audit(1784062998.789:101): proctitle="bash" + type=SYSCALL msg=audit(1784062998.789:101): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f6a7274c2ac a2=80000 a3=0 items=0 ppid=562 pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=lsb_release key=(null) + type=AVC msg=audit(1784062998.789:101): apparmor="DENIED" operation="open" profile="lsb_release" name="/etc/passwd" pid=3449 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + ---- + ( ...continues ) + ``` + + [ Where problems could occur ] + + * Currently, all AppArmor events are treated as 'malformed' SELinux + events when they are actually well-formed AppArmor events. + + * This patch modifies the filtration behavior of `ausearch` by making the `tclass` field optional, thus making AppArmor events be treated as well-formed SELinux events. + + * The regression risk with this patch is such that potentially well-formed events will be hidden by `ausearch` unintentionally, or truly malformed events will be allowed past the filter. + + * One major caveat is that regressions with respect to actual SELinux + events are difficult to test on Ubuntu; some malformed SELinux events + would potenitally be allowed through the filter with this patch. + + [ Other info ] + + * Debian likely doesn't want this patch, as Debian officially won't be making any changes until upstream does [3]. + + * Upstream can't move the AppArmor event id to the `1500` range any time soon. AppArmor was moved to the `1400` range to align with the Linux kernel LSM infrastructure [2] + + * This patch comes from SUSE; they've been carrying it for well over a decade, and they seem to still be carrying it even after switching to SELinux by default [3]. + + Targeted releases: All currently supported releases and all releases + moving forward until AppArmor moves back to the `1500` event range. + + [1] Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726 + [2] AA using 1400 reason: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#39 + [3] Debian `wontfix` closure: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#88 + [2] SUSE KB: https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US + [3] SUSE Patch: https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch + + [ Original bug (for posterity) ] + The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat <no matches> ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
** Description changed: [ Impact ] - * The following command should display all AVC denials: `ausearch --message AVC`; however, it doesn't work: - + * The following command should display all AVC denials: `ausearch + --message AVC`; however, it doesn't work: + ``` yachie@virtual:/etc/apparmor.d$ ausearch --message AVC <no matches> ``` - * Users currently must inspect `/var/log/audit.log` to find the missing AppArmor AVC events: - + * Users currently must inspect `/var/log/audit.log` to find the missing + AppArmor AVC events: + ``` yachie@virtual:/etc/apparmor.d$ sudo cat /var/log/audit.log type=AVC msg=audit(1774470501.870:1117918): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/proc/2009624/cmdline" pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 FSUID="root" OUID="root" type=AVC msg=audit(1774470501.927:1117919): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/proc/2009636/cmdline" pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 FSUID="root" OUID="root" ``` - - * The root cause is that `ausearch` is checking for a `tclass` field in the AppArmor events, because the AppArmor is using event id `1400` (assigned to SELinux) instead of `1500`. - - * AppArmor events don't have a `tclass` field, so `ausearch` treats every AppArmor event as 'malformed' and hides them. We can reveal the 'malformed' events with the `--debug` flag: - - ``` + + * The root cause is that `ausearch` is checking for a `tclass` field in + the AppArmor events, because the AppArmor is using event id `1400` + (assigned to SELinux) instead of `1500`. + + * AppArmor events don't have a `tclass` field, so `ausearch` treats + every AppArmor event as 'malformed' and hides them. We can reveal the + 'malformed' events with the `--debug` flag: + + ``` yachie@virtual:~$ ausearch --message AVC --debug ( ... a ton of unrelated events ... ) Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.176:616): apparmor="AUDIT" operation="change_onexec" class="file" info="change_profile unprivileged unconfined converted to stacking" profile="unconfined" name="lsb_release" pid=5443 comm="aa-exec" Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:617): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/nsswitch.conf" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:618): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/passwd" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:619): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/bash.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:620): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/home/yachie/.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:621): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:622): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:623): apparmor="DENIED" operation="open" class="file" profile="lsb_release" name="/etc/inputrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 <no matches> - ``` - - * This bug makes `auditd` very difficult to use on Ubuntu: having the `auditd` package installed hides AVC events from the kernel log AND `ausearch` doesn't reveal them, making AppArmor events seemingly vanish unless you know where to look. - + ``` + + * This bug makes `auditd` very difficult to use on Ubuntu: having the + `auditd` package installed hides AVC events from the kernel log AND + `ausearch` doesn't reveal them, making AppArmor events seemingly vanish + unless you know where to look. + [ Test plan ] # Install the relevant packages 1. sudo apt install apparmor auditd # Run the reproducer 2. aa-exec --profile=lsb_release bash # generates a ton of denials; see below: ``` root@jammy-vm:~# aa-exec --profile lsb_release bash bash: /etc/bash.bashrc: Permission denied bash: /root/.bashrc: Permission denied - bash-5.1# + bash-5.1# exit ``` # Run `ausearch` and search for AVC events 3. ausearch --message AVC 3a. Unpatched package output (fail): ``` root@jammy-vm:~# ausearch --message AVC <no matches> ``` 3b. Patched package output (success): ``` root@jammy-vm:~# ausearch --message AVC ---- time->Tue Jul 14 21:03:18 2026 type=PROCTITLE msg=audit(1784062998.789:100): proctitle="bash" type=SYSCALL msg=audit(1784062998.789:100): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f6a7274c150 a2=80000 a3=0 items=0 ppid=562 pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=lsb_release key=(null) type=AVC msg=audit(1784062998.789:100): apparmor="DENIED" operation="open" profile="lsb_release" name="/etc/nsswitch.conf" pid=3449 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ---- time->Tue Jul 14 21:03:18 2026 type=PROCTITLE msg=audit(1784062998.789:101): proctitle="bash" type=SYSCALL msg=audit(1784062998.789:101): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f6a7274c2ac a2=80000 a3=0 items=0 ppid=562 pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=lsb_release key=(null) type=AVC msg=audit(1784062998.789:101): apparmor="DENIED" operation="open" profile="lsb_release" name="/etc/passwd" pid=3449 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ---- ( ...continues ) ``` [ Where problems could occur ] - * Currently, all AppArmor events are treated as 'malformed' SELinux + * Currently, all AppArmor events are treated as 'malformed' SELinux events when they are actually well-formed AppArmor events. - * This patch modifies the filtration behavior of `ausearch` by making the `tclass` field optional, thus making AppArmor events be treated as well-formed SELinux events. - - * The regression risk with this patch is such that potentially well-formed events will be hidden by `ausearch` unintentionally, or truly malformed events will be allowed past the filter. + * This patch modifies the filtration behavior of `ausearch` by making + the `tclass` field optional, thus making AppArmor events be treated as + well-formed SELinux events. - * One major caveat is that regressions with respect to actual SELinux + * The regression risk with this patch is such that potentially well- + formed events will be hidden by `ausearch` unintentionally, or truly + malformed events will be allowed past the filter. + + * One major caveat is that regressions with respect to actual SELinux events are difficult to test on Ubuntu; some malformed SELinux events would potenitally be allowed through the filter with this patch. [ Other info ] - * Debian likely doesn't want this patch, as Debian officially won't be making any changes until upstream does [3]. - - * Upstream can't move the AppArmor event id to the `1500` range any time soon. AppArmor was moved to the `1400` range to align with the Linux kernel LSM infrastructure [2] - - * This patch comes from SUSE; they've been carrying it for well over a decade, and they seem to still be carrying it even after switching to SELinux by default [3]. + * Debian likely doesn't want this patch, as Debian officially won't be + making any changes until upstream does [3]. + + * Upstream can't move the AppArmor event id to the `1500` range any + time soon. AppArmor was moved to the `1400` range to align with the + Linux kernel LSM infrastructure [2] + + * This patch comes from SUSE; they've been carrying it for well over a + decade [4], and they seem to still be carrying it even after switching + to SELinux by default [5]. Targeted releases: All currently supported releases and all releases moving forward until AppArmor moves back to the `1500` event range. [1] Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726 [2] AA using 1400 reason: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#39 [3] Debian `wontfix` closure: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#88 - [2] SUSE KB: https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US - [3] SUSE Patch: https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch + [4] SUSE KB: https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US + [5] SUSE Patch: https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch - [ Original bug (for posterity) ] + [ Original bug (for posterity after over a decade) ] The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat <no matches> ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
