[apparmor] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
intrigeri at boum.org
Sun Sep 3 10:53:04 UTC 2017
FTR this was raised as a potential blocker for enabling AppArmor by
default on Debian: https://bugs.debian.org/872726. I'm going to
investigate why this is a blocker there.
tl;dr: as the audit maintainers said in 2014
audit/2016-April/msg00129.html), we should use events ids from the range
that has been allocated to us (1500-1599) instead of from the range
assigned to SELinux.
Any plans / ETA to fix this? Regardless of how you would prioritize this
problem otherwise, the fact it might prevent AppArmor from being enabled
by default in Debian could be a reason to handle it ASAP :)
** Bug watch added: Debian Bug tracker #872726
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
ausearch doesn't show AppArmor denial messages
Status in AppArmor:
Status in audit package in Ubuntu:
Status in linux package in Ubuntu:
The following command should display all AVC denials:
ausearch -m avc
However, it doesn't work with AppArmor denials. Here's a quick test
case to generate a denial, search for it with ausearch, and see that
no messages are displayed:
$ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
cat: /proc/self/attr/current: Permission denied
$ sudo ausearch -m avc -c cat
ausearch claims that there are no matches, but there's a matching
audit message if you look in audit.log:
type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
operation="open" parent=8253 profile="/usr/sbin/tcpdump"
name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
To manage notifications about this bug go to:
More information about the AppArmor