Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log

On 2014-05-30 17:00:04, Steve Grubb wrote: > On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote: > > On 2014-05-30 15:53:49, Steve Grubb wrote: > > > On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote: > > > > This patch came from our L3 department. AppArmor LSM is logging using > > > > the > > > > common_lsm_audit() call but the audit userspace parsing code expects to > > > > see > > > > an SELinux tclass field. This patch doesn't address the lack of support > > > > for > > > > AppArmor in "aureport --avc". Talking to Seth Arnold, Canonical > > > > apparently > > > > has patches for this; if this is true perhaps they can post for > > > > inclusion. > > > > > > > > Based-on-work-by: William Preston <wpreston(a)suse.com&gt; > > > > Signed-off-by: Tony Jones <tonyj(a)suse.de&gt; > > > > > > I was looking at this patch and was wondering something. Does AppArmor > > > produce AUDIT_AVC events? > > > > It does. Here's an odd ball that I picked out of my audit log: > > Uh-oh. I gave out the 1500 - 1599 block of events to App Armor so that this > problem would never happen. > > libaudit.h: > #define AUDIT_FIRST_SELINUX 1400 > #define AUDIT_LAST_SELINUX 1499 > #define AUDIT_FIRST_APPARMOR 1500 > #define AUDIT_LAST_APPARMOR 1599 I wasn't involved with AppArmor when it was going through upstream acceptance reviews, but I've asked around to get the history. As Tony mentioned, AppArmor was originally using the 1500-1599 block. At some point (I couldn't find it in the list archives), it was said that AppArmor needs to use common_lsm_audit() which unconditionally uses AUDIT_AVC.