Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
On 06/03/2014 07:47 AM, Steve Grubb wrote:
Yep. So, the question is really how to fix this. Should we have a
different
function that is swung in with #ifdef WITH_APPARMOR called parse_aa_avc? Then
it can be tuned exactly for AppArmor's needs? Later, the kernel event number
can be changed and the switch/case can pick that up. Also, are there other AA
events that are missing in action? The ausearch-test should tell you.
We'll take the patch (locally) for SLES. Seems to me, since there really isn't
any AppArmor awareness in audit at present that the AppArmor developers
may as well fix the kernel event numbering first, audit userspace after that .... anyhow,
I see no point considering the previous patch for upstreaming.
Thanks
Tony