[apparmor] Problem with audit rule modifier

azurIt azurit at pobox.sk
Fri Jun 28 21:14:35 UTC 2013

>> Hi,
>> i'm having problems with audit rule modifier - it's just not working when used alone. I'm trying to enable only logging with this:
>> audit /home/** a,
>> audit /home/** w,
>By only logging you mean logging of an access but not granting permission?

I mean logging of an access AND granting permission.

>> It should work according to documentation ( http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers ) but it's doing nothing. I was able to enable logging only with this running in complain mode:
>> audit deny /home/**/*.php a,
>> audit deny /home/**/*.php w,
>these two rules where necessary to get logging in complain mode?

Well, i just read in docs that 'w' implies also 'a', so only the second line is necessary. But yes, i had to use 'audit deny' for logging to work (and, as i want to NOT deny the action, i had to use complain mode).

>> Audit alone it not working. Is this a known bug? Thanks.
>It is not known.
>Can you send us the full profile you are using?

Here is the complete profile (i already removed that 'a' line and tested it):

/usr/lib/apache2/mpm-itk/apache2 {
        audit deny /home/**/*.php w,

As i said, i'm running this in complain mode because i don't want to deny the action on last line. I want to use apparmor only for logging access to files via PHP (i will be processing that log later).

Thank you.


More information about the AppArmor mailing list