ausearch doesn't show AppArmor denial messages
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Low
|
Unassigned | ||
audit (Ubuntu) |
Confirmed
|
Low
|
Unassigned | ||
linux (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
The following command should display all AVC denials:
ausearch -m avc
However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed:
$ aa-exec -p /usr/sbin/tcpdump cat /proc/self/
cat: /proc/self/
$ sudo ausearch -m avc -c cat
<no matches>
ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log:
type=AVC msg=audit(
Changed in audit (Ubuntu): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
tags: | added: apparmor |
Changed in audit (Ubuntu): | |
assignee: | Tyler Hicks (tyhicks) → nobody |
Changed in apparmor: | |
importance: | Undecided → Low |
status: | New → Confirmed |
tags: | added: cscc |
This bug is, I think, currently discussed on the linux-audit mailinglist:
https:/ /www.redhat. com/archives/ linux-audit/ 2014-May/ msg00094. html