I first looked at the log parsing library under the assumption that it didn't understand these operations. After adding testcases for each message, I confirmed that it does indeed understand them and parses them properly. Looking at SubDomain.pm, however, it does not know about these additional operation types.
Binary package hint: apparmor
While developing a test profile(s) for sshd on lucid using logprof/genprof, the following rejections in dmesg were never processed by the tools:
[ 878.662172] type=1503 audit(128262682 7.320:411) : operation= "truncate" pid=1957 parent=1 profile= "/etc/update- motd.d/ 91-release- upgrade" requested_ mask="w: :" denied_mask="w::" fsuid=0 ouid=0 name="/ var/lib/ update- notifier/ release- upgrade- available" 7.320:412) : operation= "rename_ src" pid=1881 parent=650 profile= "/usr/sbin/ sshd" requested_ mask="r: :" denied_mask="r::" fsuid=0 ouid=0 name="/ var/run/ motd.new" 7.320:413) : operation= "rename_ dest" pid=1881 parent=650 profile= "/usr/sbin/ sshd" requested_ mask="wc: :" denied_mask="wc::" fsuid=0 ouid=0 name="/ var/run/ motd"
[ 878.663410] type=1502 audit(128262682
[ 878.663418] type=1502 audit(128262682
I first looked at the log parsing library under the assumption that it didn't understand these operations. After adding testcases for each message, I confirmed that it does indeed understand them and parses them properly. Looking at SubDomain.pm, however, it does not know about these additional operation types.