aa-logprof doesn't parse log events in Linux Mint

Please attach your audit.log and the profile you expect to be updated.

This is a truncated version of my log file, as the original log(s) are several megabytes in size, I think this should be enough. If it's not let me know and I'll post the non-truncated version.

Here is the profile for clamd, stock.

I tried setting it to enforce but clamd wont work like that. Thats when I tried using aa-logprof to adjust the profile and I noticed it wasn't reading the events.

Okay, aa-logprof is logging events in Linux mint, just not for clamd for some reason. I'll need to spend more time trying to figure out what the real problem is, but I don't think it's a problem with aa-logprof.

Okay, I think I've made progress into whats been happening. clamd has really been sending a lot of audit messages to /var/log/audit/audit.log, but nothing has been picked up by aa-logprof. Running aa-enforce on the clamd profile isn't doing anything, and upon closer inspection of the actual profile file, I noticed that there was a " flags=(audit) " that wasn't getting removed, so I manually removed it and restarted apparmor/clamd. Then parts of clamd were throwing errors, but now these are being picked up by aa-logprof, and I can easily correct them. It turns out that the profile was missing "capability sys_admin," and now I believe that it is working as intended.

Hello C0n7r4, I believe you're right, this is working as intended:

- aa-logprof does not generate log events; it only consumes them
- The audit log has apparmor="AUDIT" events
- The audit log does not have DENIED or ALLOWED events

Thus there's nothing for aa-logprof to prompt the user about, this log doesn't show anything that looks like an incomplete policy.

Thanks