Linux Mint is not parsing AppArmor complain log files correctly, I'm not sure why.
a sample from the audit.log file is type=AVC msg=audit(1212212212.121:13867): apparmor="AUDIT" operation="open" profile="/usr/bin/testfile" name="/tmp/tempfile/" pid=2686 comm="testfile" requested_mask="r" fsuid=0 ouid=0 in the logparser.py file, it looks like it's getting picked up by the regex, and makes its way all the way to "def parse_event_for_tree(self, e):" where its stopped just a few lines in at: "if aamode in ['UNKNOWN', 'AUDIT', 'STATUS', 'ERROR']: return None" The aa-logprof run's without any fatal exceptions, just doesn't recognize any events. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1399027 Title: logparser doesn't understand /var/log/messages format Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Bug description: [impact] This bug causes tools that use libapparmor to parse syslog and other logs for apparmor rejections to fail to recognize apparmor events. [steps to reproduce] [regression potential] The patch for this issue is confined to the log parsing portion of the libapparmor library. Breakages occurring here would most likely prevent tools that help assist the management of apparmor policy from working; apparmor mediation would not be impacted. libapparmor does provide other functionality, mostly around the aa_change_hat(3) and aa_change_profile(3) calls; an entirely broken library could cause issues for applications that make use of these from working correctly; however, there are tests available in the upstream package that get invoked by the lp:qa-regression-testing test-apparmor.py script that ensure these continue to function. [original description] log parsing (part of libapparmor, used by aa-logprof and aa-genprof) doesn't understand the format in /var/log/messages, which means it doesn't find any events in it. IIRC I've seen a similar report for the ubuntu syslog format on IRC. Example log line from openSUSE: 2014-06-09T20:37:28.975070+02:00 geeko kernel: [21028.143765] type=1400 audit(1402339048.973:1421): apparmor="ALLOWED" operation="open" profile="/home/cb/linuxtag/apparmor/scripts/hello" name="/dev/tty" pid=14335 comm="hello" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 (Workaround: use auditd / audit.log) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1399027/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
