On 12/07/2014 10:45 AM, intrigeri wrote: > Christian Boltz wrote (06 Dec 2014 23:31:39 GMT) : >> Can you please install and start auditd and try again? >> (aa-genprof should automatically switch to reading >> /var/log/audit/audit.log if it exists) > >> If this works, this bug is a duplicate of upstream >> https://bugs.launchpad.net/apparmor/+bug/1399027
It works. > >> If I'm right, please send some _unmodified_ log lines from >> /var/log/syslog. We need some samples so that we can fix the support for >> the syslog log format. Log lines from syslog (without auditd runinng): ##################### rosa:/etc/apparmor.d# Dec 7 13:18:47 rosa kernel: audit: type=1400 audit(1417954732.762:81): apparmor="STATUS" operation="profile_replace" name="/home/simi/bin/aa-test" pid=3224 comm="apparmor_parser" Dec 7 13:18:47 rosa kernel: audit: type=1300 audit(1417954732.762:81): arch=c000003e syscall=1 success=yes exit=14513 a0=3 a1=2066458 a2=38b1 a3=7fff6b6283c0 items=0 ppid=3222 pid=3224 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null) Dec 7 13:18:47 rosa kernel: audit: type=1327 audit(1417954732.762:81): proctitle=2F7362696E2F61707061726D6F725F706172736572002D492F6574632F61707061726D6F722E64002D72 Dec 7 13:18:52 rosa simi: GenProf: 23e5b9591b22fc1eb2dc6c0cb7075efb rosa:/etc/apparmor.d# Dec 7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Dec 7 13:18:59 rosa kernel: audit: type=1300 audit(1417954745.397:82): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=12dab80 a2=90800 a3=0 items=0 ppid=3230 pid=3231 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=pts2 ses=1 comm="ls" exe="/bin/ls" key=(null) Dec 7 13:18:59 rosa kernel: audit: type=1327 audit(1417954745.397:82): proctitle=6C73002F7573722F62696E Dec 7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.421:83): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/" pid=3232 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Dec 7 13:18:59 rosa kernel: audit: type=1300 audit(1417954745.421:83): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=9c3b80 a2=90800 a3=0 items=0 ppid=3230 pid=3232 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=pts2 ses=1 comm="ls" exe="/bin/ls" key=(null) Dec 7 13:18:59 rosa kernel: audit: type=1327 audit(1417954745.421:83): proctitle=6C73002F Dec 7 13:19:12 rosa simi: GenProf: ba43daa5a1dc19cf93ef5ece7eacf617 Dec 7 13:19:08 rosa kernel: audit: type=1400 audit(1417954754.181:84): apparmor="STATUS" operation="profile_replace" name="/home/simi/bin/aa-test" pid=3240 comm="apparmor_parser" Dec 7 13:19:08 rosa kernel: audit: type=1300 audit(1417954754.181:84): arch=c000003e syscall=1 success=yes exit=14513 a0=3 a1=25fd458 a2=38b1 a3=7fffa7d58240 items=0 ppid=3238 pid=3240 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null) Dec 7 13:19:08 rosa kernel: audit: type=1327 audit(1417954754.181:84): proctitle=2F7362696E2F61707061726D6F725F706172736572002D492F6574632F61707061726D6F722E64002D72 ############################# I hope this helps. Cheers, Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
