I have just encountered this issue (while trying to figure out why aa- genprof could not correctly profile a script). This is a pretty crazy issue to be remaining open for so long... one of the two major LSM systems not logging correctly and therefore having logs not appear in ausearch (not to mention preventing tools like aa-genprof from working correctly).
Has this been fixed? I am running Debian 12, so I might be locked into time warp from 3000 years ago... I am on v3.0.8... I have noticed that the most recent v3 release was posted a few days before this message. Has v4 fixed this problem? Are there work around? I would say this is an extremely critical bug which prevents AppArmor from being a viable utility. (I am studying for a LF SysAdmin cert and would regard myself to be something of a newbie at this level of Linuxing, so please forgive me if I am missing something...) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat <no matches> ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
