On 1/2/24 05:51, Jarkko Toivonen wrote:
Any news on this? It has been open for over ten years now. AppArmor is on by default on Ubuntu, and if auditd is used, then the events are logged using it. Isn't it a security bug if the events don't show up when queried using ausearch?
Yes it can be considered a security bug, but the messages are available and can be found, so the priority has been lower than other work. The issue isn't entirely straight forward, and there was work towards fixing this a few years ago, but it didn't go any where. The issue itself was introduced when apparmor was switched over from an audit ID of 1500 to 1400 which is the AVC message out of the common LSM audit infrastructure. I would love for this to be fixed, but I haven't been able to get to it, and no one else has either. It is not something that I will be able to get to soon either, but I will make an effort to review patches if they show up.