[pkg-apparmor] Bug#771400: apparmor-utils: aa-logprof/aa-genprof not updating policy

Simon Brandmair sbrandmair at gmx.net
Sun Dec 7 12:25:15 UTC 2014 

On 12/07/2014 10:45 AM, intrigeri wrote:
> Christian Boltz wrote (06 Dec 2014 23:31:39 GMT) :
>> Can you please install and start auditd and try again?
>> (aa-genprof should automatically switch to reading 
>> /var/log/audit/audit.log if it exists)
> 
>> If this works, this bug is a duplicate of upstream 
>> https://bugs.launchpad.net/apparmor/+bug/1399027

It works.

> 
>> If I'm right, please send some _unmodified_ log lines from 
>> /var/log/syslog. We need some samples so that we can fix the support for 
>> the syslog log format.

Log lines from syslog (without auditd runinng):

#####################
rosa:/etc/apparmor.d# Dec  7 13:18:47 rosa kernel: audit: type=1400
audit(1417954732.762:81): apparmor="STATUS" operation="profile_replace"
name="/home/simi/bin/aa-test" pid=3224 comm="apparmor_parser"
Dec  7 13:18:47 rosa kernel: audit: type=1300 audit(1417954732.762:81):
arch=c000003e syscall=1 success=yes exit=14513 a0=3 a1=2066458 a2=38b1
a3=7fff6b6283c0 items=0 ppid=3222 pid=3224 auid=1000 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1
comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
Dec  7 13:18:47 rosa kernel: audit: type=1327 audit(1417954732.762:81):
proctitle=2F7362696E2F61707061726D6F725F706172736572002D492F6574632F61707061726D6F722E64002D72
Dec  7 13:18:52 rosa simi: GenProf: 23e5b9591b22fc1eb2dc6c0cb7075efb
rosa:/etc/apparmor.d# Dec  7 13:18:59 rosa kernel: audit: type=1400
audit(1417954745.397:82): apparmor="ALLOWED" operation="open"
profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec  7 13:18:59 rosa kernel: audit: type=1300 audit(1417954745.397:82):
arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c
a1=12dab80 a2=90800 a3=0 items=0 ppid=3230 pid=3231 auid=1000 uid=1000
gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100
tty=pts2 ses=1 comm="ls" exe="/bin/ls" key=(null)
Dec  7 13:18:59 rosa kernel: audit: type=1327 audit(1417954745.397:82):
proctitle=6C73002F7573722F62696E
Dec  7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.421:83):
apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test"
name="/" pid=3232 comm="ls" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
Dec  7 13:18:59 rosa kernel: audit: type=1300 audit(1417954745.421:83):
arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c
a1=9c3b80 a2=90800 a3=0 items=0 ppid=3230 pid=3232 auid=1000 uid=1000
gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100
tty=pts2 ses=1 comm="ls" exe="/bin/ls" key=(null)
Dec  7 13:18:59 rosa kernel: audit: type=1327 audit(1417954745.421:83):
proctitle=6C73002F
Dec  7 13:19:12 rosa simi: GenProf: ba43daa5a1dc19cf93ef5ece7eacf617
Dec  7 13:19:08 rosa kernel: audit: type=1400 audit(1417954754.181:84):
apparmor="STATUS" operation="profile_replace"
name="/home/simi/bin/aa-test" pid=3240 comm="apparmor_parser"
Dec  7 13:19:08 rosa kernel: audit: type=1300 audit(1417954754.181:84):
arch=c000003e syscall=1 success=yes exit=14513 a0=3 a1=25fd458 a2=38b1
a3=7fffa7d58240 items=0 ppid=3238 pid=3240 auid=1000 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1
comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
Dec  7 13:19:08 rosa kernel: audit: type=1327 audit(1417954754.181:84):
proctitle=2F7362696E2F61707061726D6F725F706172736572002D492F6574632F61707061726D6F722E64002D72
#############################

I hope this helps.

Cheers,
Simon

More information about the pkg-apparmor-team mailing list