[apparmor] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages

intrigeri intrigeri at boum.org
Sun Sep 3 10:53:04 UTC 2017

FTR this was raised as a potential blocker for enabling AppArmor by
default on Debian: https://bugs.debian.org/872726. I'm going to
investigate why this is a blocker there.

tl;dr: as the audit maintainers said in 2014
(https://www.redhat.com/archives/linux-audit/2014-May/msg00119.html) and
2016 (https://www.redhat.com/archives/linux-
audit/2016-April/msg00129.html), we should use events ids from the range
that has been allocated to us (1500-1599) instead of from the range
assigned to SELinux.

Any plans / ETA to fix this? Regardless of how you would prioritize this
problem otherwise, the fact it might prevent AppArmor from being enabled
by default in Debian could be a reason to handle it ASAP :)

** Bug watch added: Debian Bug tracker #872726

You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.

  ausearch doesn't show AppArmor denial messages

Status in AppArmor:
Status in audit package in Ubuntu:
Status in linux package in Ubuntu:

Bug description:
  The following command should display all AVC denials:

  ausearch -m avc

  However, it doesn't work with AppArmor denials. Here's a quick test
  case to generate a denial, search for it with ausearch, and see that
  no messages are displayed:

  $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
  cat: /proc/self/attr/current: Permission denied
  $ sudo ausearch -m avc -c cat
  <no matches>

  ausearch claims that there are no matches, but there's a matching
  audit message if you look in audit.log:

  type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
  operation="open" parent=8253 profile="/usr/sbin/tcpdump"
  name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
  denied_mask="r" fsuid=1000 ouid=1000

To manage notifications about this bug go to:

More information about the AppArmor mailing list