[apparmor] About duplicate AVC audit entries
Vincas Dargis
vindrg at gmail.com
Sat Oct 7 08:23:02 UTC 2017
On 2017.10.05 22:14, John Johansen wrote:
> The ordering of apparmor rules with respect to other kernel messages
> can also be slightly out of expected order if you are using rsyslog
> etc instead of auditd, because the apparmor messages go through the
> audit subsystem and its messaging can get reordered some vs. the rest
> of the regular kernel printk stream.
These lines where from /var/log/audit/audit.log.
> Also of note is we are trying once again to get apparmor moved away
> from audit type 1400 (AVC) which will make it easier to use the audit
> tools with apparmor messages
Yeah, this feature is really anticipated.
More information about the AppArmor
mailing list