Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
On 05/30/2014 02:00 PM, Steve Grubb wrote:
This is a big mistake, IMHO. In theory, this is what should have
happened:
An access decisionl event should have been named in the 1500 block. It would
then be free to include the field it needs in the order it needs. The ausearch
would get a function parse_aa_decision. That function would stuff a struct
specially tuned for AA usage. Aureport would gain a new report.
The very original AA submission logged everything from the kernel using AUDIT_AA which was
defined in the submission as:
+#define AUDIT_AA 1500 /* AppArmor audit */
I'm not sure when the change was made to call common_lsm_audit() which logs as
AUDIT_AVC. I agree with Steve, doesn't seem a good idea.
tony