aa-genprof can't parse logs

Bug #140508 reported by Thomas Leonard
2
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: apparmor-utils

After upgrading, aa-genprof in gutsy never finds any events.

I tried with "export LOGPROF_DEBUG=1", and the resulting log contained lines like this:

read_log UNHANDLED: Sep 17 19:54:57 nono kernel: [ 7904.712000] audit(1190055297.170:473): operation="inode_permission" requested_mask="w" denied_mask="w" name="/tmp/bob" pid=21

Did the format of the messages from the kernel change?

This is with the latest apparmor-utils:

$ dpkg --status apparmor-utils
Package: apparmor-utils
Status: install ok installed
Priority: extra
Section: base
Installed-Size: 1696
Maintainer: Ubuntu MOTU Developers <email address hidden>
Architecture: i386
Source: apparmor
Version: 2.1+961-0ubuntu5
...

$ uname -a
Linux nono 2.6.22-11-generic #1 SMP Fri Sep 7 05:07:05 GMT 2007 i686 GNU/Linux

Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 140508] aa-genprof can't parse logs

On Mon, Sep 17, 2007 at 07:13:11PM -0000, Thomas Leonard wrote:
> Did the format of the messages from the kernel change?
>

Thanks for taking the time to report the bug. It's a problem with the new
kernel module that doesn't sent the correct audit messages to syslog.
There is a patch for the kernel module that should be merged soon.

 status triaged
 importance medium

Changed in apparmor:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Kees Cook (kees) wrote :

apparmor (2.1+993-0ubuntu2) gutsy; urgency=low

  [ Mathias Gug ]
  * debian/control: Set maintainer to Ubuntu Core Developers.
  * utils/SubDomain.pm, utils/logprog.conf: refactor readprofiledir() to not
    fail on non-existing profile directory. Fixes LP: #141128.
  * debian/rules: don't compress profiles in doc/extras/.
  * utils/SubDomain.pm: Fix regex so that aa-logprof can find audit messages
    in syslog files. Fixes LP: #140508.
  * Update usr.sbin.nscd profile. Fixes LP: #144383.

  [ Kees Cook ]
  * abstractions/gnupg: drop bad attempt at general-purpose client rule.
  * abstractions/fonts: adjust for new syntax, add more local fonts paths.
  * abstractions/nameservice: add mmap permission to some /etc files.

 -- Kees Cook <email address hidden> Tue, 25 Sep 2007 10:23:29 -0700

Changed in apparmor:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.