[PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Tony Jones
tonyj at suse.de
Tue Jun 3 01:00:54 UTC 2014
On 05/29/2014 01:31 AM, Tyler Hicks wrote:
> I'm surprised that this patch makes ausearch work correctly for AppArmor
> AVC events. The first thing that parse_avc() does is look for the
> "avc: " term in the AVCs that SELinux generates. AppArmor's AVCs don't
> include that string, so an.avc_result and an.avc_perm would not be set,
> would they?
That patch does "work" (tested w/ svn trunk). After I read your comment I looked at the code and I was confused also as 'avc_result == AVC_UNSET' but find_avc() which checks against UNSET isn't being called, rather the record gets selected for output by 'n = list_get_cur(l)' [ausearch-match.c:113]. I would need to spend more time to fully understand what is happening in the code.
$ cat log
type=AVC msg=audit(1390876383.602:15646): apparmor="DENIED" operation="open" parent=21147 profile="/tmp/ls" name="/var/log/audit/" pid=21598 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1390936201.188:15647): apparmor="ALLOWED" operation="file_lock" parent=7873 profile="/usr/sbin/sshd" name="/tmp/pam_krb5_tmp_FqhNDa" pid=7875 comm="sshd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
$ /tmp/audit/sbin/ausearch -m AVC -if ./log
----
time->Mon Jan 27 18:33:03 2014
type=AVC msg=audit(1390876383.602:15646): apparmor="DENIED" operation="open" parent=21147 profile="/tmp/ls" name="/var/log/audit/" pid=21598 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
----
time->Tue Jan 28 11:10:01 2014
type=AVC msg=audit(1390936201.188:15647): apparmor="ALLOWED" operation="file_lock" parent=7873 profile="/usr/sbin/sshd" name="/tmp/pam_krb5_tmp_FqhNDa" pid=7875 comm="sshd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Without patch, ausearch just outputs "<no matches>"
tony
More information about the Linux-audit
mailing list