** Description changed:

+ [ Impact ]
+ 
+  * The following command should display all AVC denials: `ausearch --message 
AVC`; however, it doesn't work:
+  
+ ```
+ yachie@virtual:/etc/apparmor.d$ ausearch --message AVC
+ <no matches>
+ ```
+ 
+  * Users currently must inspect `/var/log/audit.log` to find the missing 
AppArmor AVC events:
+  
+ ```
+ yachie@virtual:/etc/apparmor.d$ sudo cat /var/log/audit.log
+ type=AVC msg=audit(1774470501.870:1117918): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009624/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
+ type=AVC msg=audit(1774470501.927:1117919): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009636/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
+ ```
+  
+  * The root cause is that `ausearch` is checking for a `tclass` field in the 
AppArmor events, because the AppArmor is using event id `1400` (assigned to 
SELinux) instead of `1500`.
+  
+  * AppArmor events don't have a `tclass` field, so `ausearch` treats every 
AppArmor event as 'malformed' and hides them. We can reveal the 'malformed' 
events with the `--debug` flag:
+  
+  ```
+ yachie@virtual:~$ ausearch --message AVC --debug
+ ( ... a ton of unrelated events ... )
+ Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.176:616): 
apparmor="AUDIT" operation="change_onexec" class="file" info="change_profile 
unprivileged unconfined converted to stacking" profile="unconfined" 
name="lsb_release" pid=5443 comm="aa-exec"
+ Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:617): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/nsswitch.conf" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
+ Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:618): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/passwd" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
+ Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:619): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/bash.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
+ Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:620): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bashrc" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
+ Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:621): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
+ Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:622): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
+ Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:623): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/inputrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
+ <no matches>
+  ```
+  
+  * This bug makes `auditd` very difficult to use on Ubuntu: having the 
`auditd` package installed hides AVC events from the kernel log AND `ausearch` 
doesn't reveal them, making AppArmor events seemingly vanish unless you know 
where to look.
+  
+ [ Test plan ]
+ 
+ # Install the relevant packages
+ 1. sudo apt install apparmor auditd
+ 
+ # Run the reproducer
+ 2. aa-exec --profile=lsb_release bash # generates a ton of denials; see below:
+ ```
+ root@jammy-vm:~# aa-exec --profile lsb_release bash
+ bash: /etc/bash.bashrc: Permission denied
+ bash: /root/.bashrc: Permission denied
+ bash-5.1# 
+ exit
+ ```
+ 
+ # Run `ausearch` and search for AVC events
+ 3. ausearch --message AVC
+ 
+ 3a. Unpatched package output (fail):
+ ```
+ root@jammy-vm:~# ausearch --message AVC
+ <no matches>
+ ```
+ 
+ 3b. Patched package output (success):
+ ```
+ root@jammy-vm:~# ausearch --message AVC
+ ----
+ time->Tue Jul 14 21:03:18 2026
+ type=PROCTITLE msg=audit(1784062998.789:100): proctitle="bash"
+ type=SYSCALL msg=audit(1784062998.789:100): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c150 a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
+ type=AVC msg=audit(1784062998.789:100): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/nsswitch.conf" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
+ ----
+ time->Tue Jul 14 21:03:18 2026
+ type=PROCTITLE msg=audit(1784062998.789:101): proctitle="bash"
+ type=SYSCALL msg=audit(1784062998.789:101): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c2ac a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
+ type=AVC msg=audit(1784062998.789:101): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/passwd" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
+ ----
+ ( ...continues )
+ ```
+ 
+ [ Where problems could occur ]
+ 
+  * Currently, all AppArmor events are treated as 'malformed' SELinux
+ events when they are actually well-formed AppArmor events.
+ 
+  * This patch modifies the filtration behavior of `ausearch` by making the 
`tclass` field optional, thus making AppArmor events be treated as well-formed 
SELinux events.
+  
+  * The regression risk with this patch is such that potentially well-formed 
events will be hidden by `ausearch` unintentionally, or truly malformed events 
will be allowed past the filter.
+ 
+  * One major caveat is that regressions with respect to actual SELinux
+ events are difficult to test on Ubuntu; some malformed SELinux events
+ would potenitally be allowed through the filter with this patch.
+ 
+ [ Other info ]
+ 
+  * Debian likely doesn't want this patch, as Debian officially won't be 
making any changes until upstream does [3].
+  
+  * Upstream can't move the AppArmor event id to the `1500` range any time 
soon. AppArmor was moved to the `1400` range to align with the Linux kernel LSM 
infrastructure [2]
+  
+  * This patch comes from SUSE; they've been carrying it for well over a 
decade, and they seem to still be carrying it even after switching to SELinux 
by default [3].
+ 
+ Targeted releases: All currently supported releases and all releases
+ moving forward until AppArmor moves back to the `1500` event range.
+ 
+ [1] Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726
+ [2] AA using 1400 reason: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#39
+ [3] Debian `wontfix` closure: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#88
+ [2] SUSE KB: 
https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US
+ [3] SUSE Patch: 
https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch
+ 
+ [ Original bug (for posterity) ]
+ 
  The following command should display all AVC denials:
  
  ausearch -m avc
  
  However, it doesn't work with AppArmor denials. Here's a quick test case
  to generate a denial, search for it with ausearch, and see that no
  messages are displayed:
  
  $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
  cat: /proc/self/attr/current: Permission denied
  $ sudo ausearch -m avc -c cat
  <no matches>
  
  ausearch claims that there are no matches, but there's a matching audit
  message if you look in audit.log:
  
  type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
  operation="open" parent=8253 profile="/usr/sbin/tcpdump"
  name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
  denied_mask="r" fsuid=1000 ouid=1000

** Description changed:

  [ Impact ]
  
-  * The following command should display all AVC denials: `ausearch --message 
AVC`; however, it doesn't work:
-  
+  * The following command should display all AVC denials: `ausearch
+ --message AVC`; however, it doesn't work:
+ 
  ```
  yachie@virtual:/etc/apparmor.d$ ausearch --message AVC
  <no matches>
  ```
  
-  * Users currently must inspect `/var/log/audit.log` to find the missing 
AppArmor AVC events:
-  
+  * Users currently must inspect `/var/log/audit.log` to find the missing
+ AppArmor AVC events:
+ 
  ```
  yachie@virtual:/etc/apparmor.d$ sudo cat /var/log/audit.log
  type=AVC msg=audit(1774470501.870:1117918): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009624/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  type=AVC msg=audit(1774470501.927:1117919): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009636/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  ```
-  
-  * The root cause is that `ausearch` is checking for a `tclass` field in the 
AppArmor events, because the AppArmor is using event id `1400` (assigned to 
SELinux) instead of `1500`.
-  
-  * AppArmor events don't have a `tclass` field, so `ausearch` treats every 
AppArmor event as 'malformed' and hides them. We can reveal the 'malformed' 
events with the `--debug` flag:
-  
-  ```
+ 
+  * The root cause is that `ausearch` is checking for a `tclass` field in
+ the AppArmor events, because the AppArmor is using event id `1400`
+ (assigned to SELinux) instead of `1500`.
+ 
+  * AppArmor events don't have a `tclass` field, so `ausearch` treats
+ every AppArmor event as 'malformed' and hides them. We can reveal the
+ 'malformed' events with the `--debug` flag:
+ 
+  ```
  yachie@virtual:~$ ausearch --message AVC --debug
  ( ... a ton of unrelated events ... )
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.176:616): 
apparmor="AUDIT" operation="change_onexec" class="file" info="change_profile 
unprivileged unconfined converted to stacking" profile="unconfined" 
name="lsb_release" pid=5443 comm="aa-exec"
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:617): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/nsswitch.conf" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:618): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/passwd" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:619): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/bash.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:620): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bashrc" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:621): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:622): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:623): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/inputrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  <no matches>
-  ```
-  
-  * This bug makes `auditd` very difficult to use on Ubuntu: having the 
`auditd` package installed hides AVC events from the kernel log AND `ausearch` 
doesn't reveal them, making AppArmor events seemingly vanish unless you know 
where to look.
-  
+  ```
+ 
+  * This bug makes `auditd` very difficult to use on Ubuntu: having the
+ `auditd` package installed hides AVC events from the kernel log AND
+ `ausearch` doesn't reveal them, making AppArmor events seemingly vanish
+ unless you know where to look.
+ 
  [ Test plan ]
  
  # Install the relevant packages
  1. sudo apt install apparmor auditd
  
  # Run the reproducer
  2. aa-exec --profile=lsb_release bash # generates a ton of denials; see below:
  ```
  root@jammy-vm:~# aa-exec --profile lsb_release bash
  bash: /etc/bash.bashrc: Permission denied
  bash: /root/.bashrc: Permission denied
- bash-5.1# 
+ bash-5.1#
  exit
  ```
  
  # Run `ausearch` and search for AVC events
  3. ausearch --message AVC
  
  3a. Unpatched package output (fail):
  ```
  root@jammy-vm:~# ausearch --message AVC
  <no matches>
  ```
  
  3b. Patched package output (success):
  ```
  root@jammy-vm:~# ausearch --message AVC
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:100): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:100): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c150 a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:100): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/nsswitch.conf" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:101): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:101): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c2ac a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:101): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/passwd" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  ( ...continues )
  ```
  
  [ Where problems could occur ]
  
-  * Currently, all AppArmor events are treated as 'malformed' SELinux
+  * Currently, all AppArmor events are treated as 'malformed' SELinux
  events when they are actually well-formed AppArmor events.
  
-  * This patch modifies the filtration behavior of `ausearch` by making the 
`tclass` field optional, thus making AppArmor events be treated as well-formed 
SELinux events.
-  
-  * The regression risk with this patch is such that potentially well-formed 
events will be hidden by `ausearch` unintentionally, or truly malformed events 
will be allowed past the filter.
+  * This patch modifies the filtration behavior of `ausearch` by making
+ the `tclass` field optional, thus making AppArmor events be treated as
+ well-formed SELinux events.
  
-  * One major caveat is that regressions with respect to actual SELinux
+  * The regression risk with this patch is such that potentially well-
+ formed events will be hidden by `ausearch` unintentionally, or truly
+ malformed events will be allowed past the filter.
+ 
+  * One major caveat is that regressions with respect to actual SELinux
  events are difficult to test on Ubuntu; some malformed SELinux events
  would potenitally be allowed through the filter with this patch.
  
  [ Other info ]
  
-  * Debian likely doesn't want this patch, as Debian officially won't be 
making any changes until upstream does [3].
-  
-  * Upstream can't move the AppArmor event id to the `1500` range any time 
soon. AppArmor was moved to the `1400` range to align with the Linux kernel LSM 
infrastructure [2]
-  
-  * This patch comes from SUSE; they've been carrying it for well over a 
decade, and they seem to still be carrying it even after switching to SELinux 
by default [3].
+  * Debian likely doesn't want this patch, as Debian officially won't be
+ making any changes until upstream does [3].
+ 
+  * Upstream can't move the AppArmor event id to the `1500` range any
+ time soon. AppArmor was moved to the `1400` range to align with the
+ Linux kernel LSM infrastructure [2]
+ 
+  * This patch comes from SUSE; they've been carrying it for well over a
+ decade [4], and they seem to still be carrying it even after switching
+ to SELinux by default [5].
  
  Targeted releases: All currently supported releases and all releases
  moving forward until AppArmor moves back to the `1500` event range.
  
  [1] Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726
  [2] AA using 1400 reason: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#39
  [3] Debian `wontfix` closure: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#88
- [2] SUSE KB: 
https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US
- [3] SUSE Patch: 
https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch
+ [4] SUSE KB: 
https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US
+ [5] SUSE Patch: 
https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch
  
- [ Original bug (for posterity) ]
+ [ Original bug (for posterity after over a decade) ]
  
  The following command should display all AVC denials:
  
  ausearch -m avc
  
  However, it doesn't work with AppArmor denials. Here's a quick test case
  to generate a denial, search for it with ausearch, and see that no
  messages are displayed:
  
  $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
  cat: /proc/self/attr/current: Permission denied
  $ sudo ausearch -m avc -c cat
  <no matches>
  
  ausearch claims that there are no matches, but there's a matching audit
  message if you look in audit.log:
  
  type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
  operation="open" parent=8253 profile="/usr/sbin/tcpdump"
  name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
  denied_mask="r" fsuid=1000 ouid=1000

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1117804

Title:
  ausearch doesn't show AppArmor denial messages

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to