I was able to fix the crash by adding the following lines after line 1515 in /usr/lib/python3/dist-packages/apparmor/aa.py but this probably needs verifying for overall business logic compliance (as audit mode is combination of enforcement and complain):
On 19 Aug 2014, at 12:26, Christian Boltz <email address hidden> wrote:
> Can you please attach some example log lines that cause this? (Typical
> log locations are /var/log/audit/audit.log, /var/log/messages or
> /var/log/syslog)
>
> This probably needs to be fixed in logparser.py add_event_to_tree()
> (which is expected to ignore audit events) - but I'll need the log
> sample to get it right.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1358705
>
> Title:
> Invalid mode found: AUDITING
>
> Status in AppArmor Linux application security framework:
> New
>
> Bug description:
> aa-logprof crashes with the following error:
>
> Invalid mode found: AUDITING
> File "/usr/sbin/aa-genprof", line 150, in <module>
> lp_ret = apparmor.do_logprof_pass(logmark, passno)
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2270, in do_logprof_pass
> ask_the_questions()
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1518, in ask_the_questions
> fatal_error(_('Invalid mode found: %s') % aamode)
> File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 133, in fatal_error
> tb_stack = traceback.format_list(traceback.extract_stack())
>
> when I have some processes running in AUDIT mode.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/apparmor/+bug/1358705/+subscriptions
>
Hi Christian,
I think these lines are causing it:
Aug 19 11:35:48 kautsky kernel: [ 1545.990026] type=1400 audit(140844814 8.700:7093) : apparmor="AUDIT" operation="accept" profile= "/usr/sbin/ nginx" pid=6660 comm="nginx" lport=80 family="inet" sock_type="stream" protocol=6 8.700:7094) : apparmor="AUDIT" operation="accept" profile= "/usr/sbin/ nginx" pid=6660 comm="nginx" lport=80 family="inet" sock_type="stream" protocol=6
Aug 19 11:35:48 kautsky kernel: [ 1545.990060] type=1400 audit(140844814
I was able to fix the crash by adding the following lines after line 1515 in /usr/lib/ python3/ dist-packages/ apparmor/ aa.py but this probably needs verifying for overall business logic compliance (as audit mode is combination of enforcement and complain):
elif aamode == 'AUDITING':
aaui. UI_Info( _('Audit- mode changes:'))
On 19 Aug 2014, at 12:26, Christian Boltz <email address hidden> wrote:
> Can you please attach some example log lines that cause this? (Typical audit/audit. log, /var/log/messages or /bugs.launchpad .net/bugs/ 1358705 aa-genprof" , line 150, in <module> do_logprof_ pass(logmark, passno) python3/ dist-packages/ apparmor/ aa.py", line 2270, in do_logprof_pass python3/ dist-packages/ apparmor/ aa.py", line 1518, in ask_the_questions _('Invalid mode found: %s') % aamode) python3/ dist-packages/ apparmor/ aa.py", line 133, in fatal_error format_ list(traceback. extract_ stack() ) /bugs.launchpad .net/apparmor/ +bug/1358705/ +subscriptions
> log locations are /var/log/
> /var/log/syslog)
>
> This probably needs to be fixed in logparser.py add_event_to_tree()
> (which is expected to ignore audit events) - but I'll need the log
> sample to get it right.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Invalid mode found: AUDITING
>
> Status in AppArmor Linux application security framework:
> New
>
> Bug description:
> aa-logprof crashes with the following error:
>
> Invalid mode found: AUDITING
> File "/usr/sbin/
> lp_ret = apparmor.
> File "/usr/lib/
> ask_the_questions()
> File "/usr/lib/
> fatal_error(
> File "/usr/lib/
> tb_stack = traceback.
>
> when I have some processes running in AUDIT mode.
>
> To manage notifications about this bug go to:
> https:/
>
--
Pawel Krawczyk
<email address hidden> +44 7879 180015
CISSP, OWASP