On Sun, Jun 05, 2016 at 06:51:18PM -0700, John Johansen wrote: [..snip..] > With that said if you turn of debug mode apparmor will log a few extra > messages to dmesg (not via the audit subsystem). This will let you see > when environment scrubbing has been applied. > > echo 1 > /sys/module/apparmor/parameters/debug > > Also not this isn't going to give you a flood of extra messages its just > for a few things like, env scrubbing, clearing unsafe personality bits, > no new privs etc. > > > @John: Do you have a different opinion on Guido's points? > > > > yeah we should be logging extra info. As for complain mode we aren't > changing its behavior but their will be a new mode that is closer to > what I think he wants. > > Also it is possible to turn off deny audit quieting by doing > > echo -n noquiet >/sys/module/apparmor/parameters/audit > > sadly this is global, not per profile
It's "good enough" for debugging on a test system. Incredibly helpful, thanks! -- Guido
