Hi Christian,
I'm unable to reproduce this with your log entry and upstream libapparmor's test tool:
$ cat test_multi/testcase_syslog_lp1399027.in 2014-06-09T20:37:28.975070+02:00 geeko kernel: [21028.143765] type=1400 audit(1402339048.973:1421): apparmor="ALLOWED" operation="open" profile="/home/cb/linuxtag/apparmor/scripts/hello" name="/dev/tty" pid=14335 comm="hello" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 $ ./test_multi.multi test_multi/testcase_syslog_lp1399027.in START File: testcase_syslog_lp1399027.in Event type: AA_RECORD_ALLOWED Audit ID: 1402339048.973:1421 Operation: open Mask: rw Denied Mask: rw fsuid: 1000 ouid: 0 Profile: /home/cb/linuxtag/apparmor/scripts/hello Name: /dev/tty Command: hello PID: 14335 Epoch: 1402339048 Audit subid: 1421
which indicates libapparmor was successfully able to parse it.
Hi Christian,
I'm unable to reproduce this with your log entry and upstream libapparmor's test tool:
$ cat test_multi/ testcase_ syslog_ lp1399027. in 09T20:37: 28.975070+ 02:00 geeko kernel: [21028.143765] type=1400 audit(140233904 8.973:1421) : apparmor="ALLOWED" operation="open" profile= "/home/ cb/linuxtag/ apparmor/ scripts/ hello" name="/dev/tty" pid=14335 comm="hello" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 testcase_ syslog_ lp1399027. in syslog_ lp1399027. in linuxtag/ apparmor/ scripts/ hello
2014-06-
$ ./test_multi.multi test_multi/
START
File: testcase_
Event type: AA_RECORD_ALLOWED
Audit ID: 1402339048.973:1421
Operation: open
Mask: rw
Denied Mask: rw
fsuid: 1000
ouid: 0
Profile: /home/cb/
Name: /dev/tty
Command: hello
PID: 14335
Epoch: 1402339048
Audit subid: 1421
which indicates libapparmor was successfully able to parse it.