Actually AUDIT events need to be skipped by aa-logprof - they are already known to the profile, so there's no reason to ask about them.
Thanks for the log lines - I'm able to reproduce the problem with them.
The real problem was a typo - the code uses "AUDIT" everywhere, except at one place that accidently contained "AUDITING".
The following patch fixes it:
=== modified file 'utils/apparmor/logparser.py' --- utils/apparmor/logparser.py 2014-08-18 19:01:38 +0000 +++ utils/apparmor/logparser.py 2014-08-20 11:26:09 +0000 @@ -151,7 +151,7 @@ # Convert aamode values to their counter-parts mode_convertor = {0: 'UNKNOWN', 1: 'ERROR', - 2: 'AUDITING', + 2: 'AUDIT', 3: 'PERMITTING', 4: 'REJECTING', 5: 'HINT',
Actually AUDIT events need to be skipped by aa-logprof - they are already known to the profile, so there's no reason to ask about them.
Thanks for the log lines - I'm able to reproduce the problem with them.
The real problem was a typo - the code uses "AUDIT" everywhere, except at one place that accidently contained "AUDITING".
The following patch fixes it:
=== modified file 'utils/ apparmor/ logparser. py' logparser. py 2014-08-18 19:01:38 +0000 logparser. py 2014-08-20 11:26:09 +0000
mode_ convertor = {0: 'UNKNOWN',
1: 'ERROR',
3: 'PERMITTING',
4: 'REJECTING',
5: 'HINT',
--- utils/apparmor/
+++ utils/apparmor/
@@ -151,7 +151,7 @@
# Convert aamode values to their counter-parts
- 2: 'AUDITING',
+ 2: 'AUDIT',