Ubuntu
apparmor package

Bug #340183
Comment #18

Comment 18 for bug 340183

Revision history for this message

Dariusz Suchojad (dsuch) wrote on 2009-03-14:

#18

2.3+1289-0ubuntu4.2~ppa1_var_log_messages.txt Edit (10.5 KiB, text/plain)

>> 2.3+1289-0ubuntu4.11.7.4-1 | 1.7.4-1 | yes |
> Can you tell me where the above apparmor version came
> from? I don't see it on the list of published packages at
> https://launchpad.net/ubuntu/+source/apparmor .

Err.. it's my fault, should've been 2.3+1289-0ubuntu4.1, 1.7.4-1 came from the
auditd version.

> Can you make sure you're updating libapparmor1 at the same time?

Here's the dpkg -l output

dsuch@xerxes:~$ dpkg -l "*apparmor*" auditd libaudit0
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-=================================-=================================-==================================================================================
ii apparmor 2.3+1289-0ubuntu4.2~ppa1 User-space parser utility for AppArmor
un apparmor-docs <none> (no description available)
un apparmor-parser <none> (no description available)
un apparmor-profiles <none> (no description available)
ii apparmor-utils 2.3+1289-0ubuntu4.2~ppa1 Utilities for controlling AppArmor
rc auditd 1.7.4-1 User space tools for security auditing
ii libapparmor-perl 2.3+1289-0ubuntu4.2~ppa1 AppArmor library Perl bindings
ii libapparmor1 2.3+1289-0ubuntu4.2~ppa1 changehat AppArmor library
rc libaudit0 1.7.4-1 Dynamic library for security auditing
dsuch@xerxes:~$

> You should see something like
> Mar 14 11:13:56 jj-amd64 ubuntu: GenProf:
> 4995bc33fda53c4f5f9b324c2ccff407
> in /var/log/messages, at least when auditd is not running.

Yes, I can see it now. See the attached 2.3+1289-0ubuntu4.2~ppa1_var_log_messages.txt file
with events from /var/log/messages.

> Ah, I see one additional problem, if /var/log/audit/audit.log exists,
> even if auditd is not running, genprof won't write the marker. And
> of course, /var/log/audit/audit.log is not removed when the auditd
> package is uninstalled. Hrm.

The precedence is defined in /etc/apparmor/logprof.conf, right?

Anyway, after removing the /var/log/audit/audit.log it still doesn't work,
sorry to say it but seems like nothing has changed.

Can you attach a sample of /var/log/messages where it does work? Perhaps there's still something different elsewhere?

>> 2.3+1289-0ubuntu4.11.7.4-1                      |    1.7.4-1   |   yes    |
> Can you tell me where the above apparmor version came
> from? I don't see it on the list of published packages at
> https://launchpad.net/ubuntu/+source/apparmor .

Err.. it's my fault, should've been 2.3+1289-0ubuntu4.1, 1.7.4-1 came from the
auditd version.

> Can you make sure you're updating libapparmor1 at the same time?

Here's the dpkg -l output

dsuch@xerxes:~$ dpkg -l "*apparmor*" auditd libaudit0
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name                              Version                           Description
+++-=================================-=================================-==================================================================================
ii  apparmor                          2.3+1289-0ubuntu4.2~ppa1          User-space parser utility for AppArmor
un  apparmor-docs                     <none>                            (no description available)
un  apparmor-parser                   <none>                            (no description available)
un  apparmor-profiles                 <none>                            (no description available)
ii  apparmor-utils                    2.3+1289-0ubuntu4.2~ppa1          Utilities for controlling AppArmor
rc  auditd                            1.7.4-1                           User space tools for security auditing
ii  libapparmor-perl                  2.3+1289-0ubuntu4.2~ppa1          AppArmor library Perl bindings
ii  libapparmor1                      2.3+1289-0ubuntu4.2~ppa1          changehat AppArmor library
rc  libaudit0                         1.7.4-1                           Dynamic library for security auditing
dsuch@xerxes:~$

> You should see something like
>   Mar 14 11:13:56 jj-amd64 ubuntu: GenProf:
> 4995bc33fda53c4f5f9b324c2ccff407
> in /var/log/messages, at least when auditd is not running.

Yes, I can see it now. See the attached 2.3+1289-0ubuntu4.2~ppa1_var_log_messages.txt file
with events from /var/log/messages.

The precedence is defined in /etc/apparmor/logprof.conf, right?

Anyway, after removing the /var/log/audit/audit.log it still doesn't work,
sorry to say it but seems like nothing has changed.

Can you attach a sample of /var/log/messages where it does work? Perhaps there's still something different elsewhere?

Ubuntuapparmor package

Comment 18 for bug 340183

Ubuntu
apparmor package