On 06/28/2013 02:14 PM, azurIt wrote: >>> Hi, >>> >>> i'm having problems with audit rule modifier - it's just not working when >>> used alone. I'm trying to enable only logging with this: >>> audit /home/** a, >>> audit /home/** w, >> By only logging you mean logging of an access but not granting permission? > > > I mean logging of an access AND granting permission. > ok, I just wanted to be sure as we have had misunderstandings before around audit, with people expecting it to only change the auditing behavior and not grant permissions.
ie. audit /** w, as a rule to catch any writes regardless of what other rules are. It would be a nice ability to have but the language doesn't allow specifying only the audit behavior like this atm. > >> >>> >>> It should work according to documentation ( >>> http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers ) >>> but it's doing nothing. I was able to enable logging only with this running >>> in complain mode: >>> audit deny /home/**/*.php a, >>> audit deny /home/**/*.php w, >>> >> these two rules where necessary to get logging in complain mode? > > > Well, i just read in docs that 'w' implies also 'a', so only the second line > is necessary. But yes, i had to use 'audit deny' for logging to work (and, as > i want to NOT deny the action, i had to use complain mode). > Okay > >>> Audit alone it not working. Is this a known bug? Thanks. >>> >> It is not known. >> >> Can you send us the full profile you are using? > > > Here is the complete profile (i already removed that 'a' line and tested it): > > /usr/lib/apache2/mpm-itk/apache2 { > network, > capability, > file, > audit deny /home/**/*.php w, > } > > > As i said, i'm running this in complain mode because i don't want to deny the > action on last line. I want to use apparmor only for logging access to files > via PHP (i will be processing that log later). > Can you please provide the following information to help as diagnose the problem. Kernel version: use the command uname -a Parser version: use the command apparmor_parser -v State dump from the compiler: use the command apparmor_parser -D dfa-states -QT profile_file 2>states_file Compiled output of your profile: use either of the following commands apparmor_parser -S profile_file > output_file apparmor_parser -o output_file profile_file * the -o version may not work on older parsers. * profile_name is the file name where your profile is stored * states_file and out_file are just file that the output will be dumped in. So that you can attach them thanks -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
