[PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
Tony Jones
tonyj at suse.de
Tue Jun 3 16:34:25 UTC 2014
On 06/03/2014 07:47 AM, Steve Grubb wrote:
> Yep. So, the question is really how to fix this. Should we have a different
> function that is swung in with #ifdef WITH_APPARMOR called parse_aa_avc? Then
> it can be tuned exactly for AppArmor's needs? Later, the kernel event number
> can be changed and the switch/case can pick that up. Also, are there other AA
> events that are missing in action? The ausearch-test should tell you.
We'll take the patch (locally) for SLES. Seems to me, since there really isn't any AppArmor awareness in audit at present that the AppArmor developers
may as well fix the kernel event numbering first, audit userspace after that .... anyhow, I see no point considering the previous patch for upstreaming.
Thanks
Tony
More information about the Linux-audit
mailing list