When apparmor logs events with audit type AVC, the logs cannot be found by usual audit tools because the entry is malformed as stated in this auditd bugreport https://github.com/linux-audit/audit-userspace/issues/351#issuecomment-1932211875
To quite the maintainer: > If they are going to emit an access decision as an AVC, it has to exactly > follow the format of an SE Linux AVC. The AppArmor kernel developers were > given the AUDIT type block from 1500 to 1599 a long time ago so that they can > format their events any way they wish. The AVC they are using is type number > 1400. They should really define AUDIT_AA_DECISION 1500 (or whatever makes > sense to AppArmor) and then use that. It took me a few days to figure this one out and that didn't make apparmor easier to debug. If there is anything in regards to testing I can help with to solve this bug, please let me know.
