On 2017.10.05 22:14, John Johansen wrote:
The ordering of apparmor rules with respect to other kernel messages can also be slightly out of expected order if you are using rsyslog etc instead of auditd, because the apparmor messages go through the audit subsystem and its messaging can get reordered some vs. the rest of the regular kernel printk stream.
These lines where from /var/log/audit/audit.log.
Also of note is we are trying once again to get apparmor moved away from audit type 1400 (AVC) which will make it easier to use the audit tools with apparmor messages
Yeah, this feature is really anticipated. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor