Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
On 05/29/2014 01:31 AM, Tyler Hicks wrote:
I'm surprised that this patch makes ausearch work correctly for
AppArmor
AVC events. The first thing that parse_avc() does is look for the
"avc: " term in the AVCs that SELinux generates. AppArmor's AVCs don't
include that string, so an.avc_result and an.avc_perm would not be set,
would they?
That patch does "work" (tested w/ svn trunk). After I read your comment I
looked at the code and I was confused also as 'avc_result == AVC_UNSET' but
find_avc() which checks against UNSET isn't being called, rather the record gets
selected for output by 'n = list_get_cur(l)' [ausearch-match.c:113]. I would
need to spend more time to fully understand what is happening in the code.
$ cat log
type=AVC msg=audit(1390876383.602:15646): apparmor="DENIED"
operation="open" parent=21147 profile="/tmp/ls"
name="/var/log/audit/" pid=21598 comm="ls"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1390936201.188:15647): apparmor="ALLOWED"
operation="file_lock" parent=7873 profile="/usr/sbin/sshd"
name="/tmp/pam_krb5_tmp_FqhNDa" pid=7875 comm="sshd"
requested_mask="k" denied_mask="k" fsuid=0 ouid=0
$ /tmp/audit/sbin/ausearch -m AVC -if ./log
----
time->Mon Jan 27 18:33:03 2014
type=AVC msg=audit(1390876383.602:15646): apparmor="DENIED"
operation="open" parent=21147 profile="/tmp/ls"
name="/var/log/audit/" pid=21598 comm="ls"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
----
time->Tue Jan 28 11:10:01 2014
type=AVC msg=audit(1390936201.188:15647): apparmor="ALLOWED"
operation="file_lock" parent=7873 profile="/usr/sbin/sshd"
name="/tmp/pam_krb5_tmp_FqhNDa" pid=7875 comm="sshd"
requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Without patch, ausearch just outputs "<no matches>"
tony