** Description changed:

  [ Impact ]
  
-  * The following command should display all AVC denials: `ausearch
- --message AVC`; however, it doesn't work:
+  * The following command should display all AppArmor AVC events:
+ `ausearch --message AVC`; however, it doesn't work:
  
  ```
  yachie@virtual:/etc/apparmor.d$ ausearch --message AVC
  <no matches>
  ```
  
   * Users currently must inspect `/var/log/audit.log` to find the missing
  AppArmor AVC events:
  
  ```
  yachie@virtual:/etc/apparmor.d$ sudo cat /var/log/audit.log
  type=AVC msg=audit(1774470501.870:1117918): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009624/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  type=AVC msg=audit(1774470501.927:1117919): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009636/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  ```
  
   * The root cause is that `ausearch` is checking for a `tclass` field in
  the AppArmor events, because the AppArmor is using event id `1400`
  (assigned to SELinux) instead of `1500`.
  
   * AppArmor events don't have a `tclass` field, so `ausearch` treats
  every AppArmor event as 'malformed' and hides them. We can reveal the
  'malformed' events with the `--debug` flag:
  
   ```
  yachie@virtual:~$ ausearch --message AVC --debug
  ( ... a ton of unrelated events ... )
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.176:616): 
apparmor="AUDIT" operation="change_onexec" class="file" info="change_profile 
unprivileged unconfined converted to stacking" profile="unconfined" 
name="lsb_release" pid=5443 comm="aa-exec"
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:617): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/nsswitch.conf" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:618): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/passwd" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:619): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/bash.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:620): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bashrc" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:621): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:622): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:623): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/inputrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  <no matches>
   ```
  
   * This bug makes `auditd` very difficult to use on Ubuntu: having the
  `auditd` package installed hides AVC events from the kernel log AND
  `ausearch` doesn't reveal them, making AppArmor events seemingly vanish
  unless you know where to look.
  
  [ Test plan ]
  
  # Install the relevant packages
  1. sudo apt install apparmor auditd
  
  # Run the reproducer
  2. aa-exec --profile=lsb_release bash # generates a ton of denials; see below:
  ```
  root@jammy-vm:~# aa-exec --profile lsb_release bash
  bash: /etc/bash.bashrc: Permission denied
  bash: /root/.bashrc: Permission denied
  bash-5.1#
  exit
  ```
  
  # Run `ausearch` and search for AVC events
  3. ausearch --message AVC
  
  3a. Unpatched package output (fail):
  ```
  root@jammy-vm:~# ausearch --message AVC
  <no matches>
  ```
  
  3b. Patched package output (success):
  ```
  root@jammy-vm:~# ausearch --message AVC
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:100): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:100): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c150 a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:100): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/nsswitch.conf" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:101): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:101): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c2ac a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:101): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/passwd" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  ( ...continues )
  ```
  
  [ Where problems could occur ]
  
   * Currently, all AppArmor events are treated as 'malformed' SELinux
  events when they are actually well-formed AppArmor events.
  
   * This patch modifies the filtration behavior of `ausearch` by making
  the `tclass` field optional, thus making AppArmor events be treated as
  well-formed SELinux events.
  
   * The regression risk with this patch is such that potentially well-
  formed events will be hidden by `ausearch` unintentionally, or truly
  malformed events will be allowed past the filter.
  
   * One major caveat is that regressions with respect to actual SELinux
  events are difficult to test on Ubuntu; some malformed SELinux events
  would potenitally be allowed through the filter with this patch.
  
  [ Other info ]
  
   * Debian likely doesn't want this patch, as Debian officially won't be
  making any changes until upstream does [3].
  
   * Upstream can't move the AppArmor event id to the `1500` range any
  time soon. AppArmor was moved to the `1400` range to align with the
  Linux kernel LSM infrastructure [2]
  
   * This patch comes from SUSE; they've been carrying it for well over a
  decade [4], and they seem to still be carrying it even after switching
  to SELinux by default [5].
  
  Targeted releases: All currently supported releases and all releases
  moving forward until AppArmor moves back to the `1500` event range.
  
  [1] Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726
  [2] AA using 1400 reason: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#39
  [3] Debian `wontfix` closure: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#88
  [4] SUSE KB: 
https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US
  [5] SUSE Patch: 
https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch
  
  [ Original bug (for posterity after over a decade) ]
  
  The following command should display all AVC denials:
  
  ausearch -m avc
  
  However, it doesn't work with AppArmor denials. Here's a quick test case
  to generate a denial, search for it with ausearch, and see that no
  messages are displayed:
  
  $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
  cat: /proc/self/attr/current: Permission denied
  $ sudo ausearch -m avc -c cat
  <no matches>
  
  ausearch claims that there are no matches, but there's a matching audit
  message if you look in audit.log:
  
  type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
  operation="open" parent=8253 profile="/usr/sbin/tcpdump"
  name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
  denied_mask="r" fsuid=1000 ouid=1000

** Description changed:

  [ Impact ]
  
   * The following command should display all AppArmor AVC events:
  `ausearch --message AVC`; however, it doesn't work:
  
  ```
  yachie@virtual:/etc/apparmor.d$ ausearch --message AVC
  <no matches>
  ```
  
   * Users currently must inspect `/var/log/audit.log` to find the missing
  AppArmor AVC events:
  
  ```
  yachie@virtual:/etc/apparmor.d$ sudo cat /var/log/audit.log
  type=AVC msg=audit(1774470501.870:1117918): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009624/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  type=AVC msg=audit(1774470501.927:1117919): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009636/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  ```
  
   * The root cause is that `ausearch` is checking for a `tclass` field in
- the AppArmor events, because the AppArmor is using event id `1400`
- (assigned to SELinux) instead of `1500`.
+ the AppArmor events, because AppArmor is using event id `1400` (assigned
+ to SELinux) instead of `1500`.
  
   * AppArmor events don't have a `tclass` field, so `ausearch` treats
  every AppArmor event as 'malformed' and hides them. We can reveal the
  'malformed' events with the `--debug` flag:
  
   ```
  yachie@virtual:~$ ausearch --message AVC --debug
  ( ... a ton of unrelated events ... )
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.176:616): 
apparmor="AUDIT" operation="change_onexec" class="file" info="change_profile 
unprivileged unconfined converted to stacking" profile="unconfined" 
name="lsb_release" pid=5443 comm="aa-exec"
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:617): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/nsswitch.conf" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:618): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/passwd" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:619): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/bash.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:620): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bashrc" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:621): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:622): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:623): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/inputrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  <no matches>
   ```
  
   * This bug makes `auditd` very difficult to use on Ubuntu: having the
  `auditd` package installed hides AVC events from the kernel log AND
  `ausearch` doesn't reveal them, making AppArmor events seemingly vanish
  unless you know where to look.
  
  [ Test plan ]
  
  # Install the relevant packages
  1. sudo apt install apparmor auditd
  
  # Run the reproducer
  2. aa-exec --profile=lsb_release bash # generates a ton of denials; see below:
  ```
  root@jammy-vm:~# aa-exec --profile lsb_release bash
  bash: /etc/bash.bashrc: Permission denied
  bash: /root/.bashrc: Permission denied
  bash-5.1#
  exit
  ```
  
  # Run `ausearch` and search for AVC events
  3. ausearch --message AVC
  
  3a. Unpatched package output (fail):
  ```
  root@jammy-vm:~# ausearch --message AVC
  <no matches>
  ```
  
  3b. Patched package output (success):
  ```
  root@jammy-vm:~# ausearch --message AVC
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:100): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:100): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c150 a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:100): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/nsswitch.conf" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:101): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:101): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c2ac a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:101): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/passwd" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  ( ...continues )
  ```
  
  [ Where problems could occur ]
  
   * Currently, all AppArmor events are treated as 'malformed' SELinux
  events when they are actually well-formed AppArmor events.
  
   * This patch modifies the filtration behavior of `ausearch` by making
  the `tclass` field optional, thus making AppArmor events be treated as
  well-formed SELinux events.
  
   * The regression risk with this patch is such that potentially well-
  formed events will be hidden by `ausearch` unintentionally, or truly
  malformed events will be allowed past the filter.
  
   * One major caveat is that regressions with respect to actual SELinux
  events are difficult to test on Ubuntu; some malformed SELinux events
  would potenitally be allowed through the filter with this patch.
  
  [ Other info ]
  
   * Debian likely doesn't want this patch, as Debian officially won't be
  making any changes until upstream does [3].
  
   * Upstream can't move the AppArmor event id to the `1500` range any
  time soon. AppArmor was moved to the `1400` range to align with the
  Linux kernel LSM infrastructure [2]
  
   * This patch comes from SUSE; they've been carrying it for well over a
  decade [4], and they seem to still be carrying it even after switching
  to SELinux by default [5].
  
  Targeted releases: All currently supported releases and all releases
  moving forward until AppArmor moves back to the `1500` event range.
  
  [1] Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726
  [2] AA using 1400 reason: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#39
  [3] Debian `wontfix` closure: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#88
  [4] SUSE KB: 
https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US
  [5] SUSE Patch: 
https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch
  
  [ Original bug (for posterity after over a decade) ]
  
  The following command should display all AVC denials:
  
  ausearch -m avc
  
  However, it doesn't work with AppArmor denials. Here's a quick test case
  to generate a denial, search for it with ausearch, and see that no
  messages are displayed:
  
  $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
  cat: /proc/self/attr/current: Permission denied
  $ sudo ausearch -m avc -c cat
  <no matches>
  
  ausearch claims that there are no matches, but there's a matching audit
  message if you look in audit.log:
  
  type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
  operation="open" parent=8253 profile="/usr/sbin/tcpdump"
  name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
  denied_mask="r" fsuid=1000 ouid=1000

** Description changed:

  [ Impact ]
  
   * The following command should display all AppArmor AVC events:
  `ausearch --message AVC`; however, it doesn't work:
  
  ```
  yachie@virtual:/etc/apparmor.d$ ausearch --message AVC
  <no matches>
  ```
  
   * Users currently must inspect `/var/log/audit.log` to find the missing
  AppArmor AVC events:
  
  ```
  yachie@virtual:/etc/apparmor.d$ sudo cat /var/log/audit.log
  type=AVC msg=audit(1774470501.870:1117918): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009624/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  type=AVC msg=audit(1774470501.927:1117919): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009636/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  ```
  
   * The root cause is that `ausearch` is checking for a `tclass` field in
  the AppArmor events, because AppArmor is using event id `1400` (assigned
  to SELinux) instead of `1500`.
  
   * AppArmor events don't have a `tclass` field, so `ausearch` treats
  every AppArmor event as 'malformed' and hides them. We can reveal the
  'malformed' events with the `--debug` flag:
  
   ```
  yachie@virtual:~$ ausearch --message AVC --debug
  ( ... a ton of unrelated events ... )
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.176:616): 
apparmor="AUDIT" operation="change_onexec" class="file" info="change_profile 
unprivileged unconfined converted to stacking" profile="unconfined" 
name="lsb_release" pid=5443 comm="aa-exec"
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:617): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/nsswitch.conf" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:618): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/passwd" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:619): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/bash.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:620): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bashrc" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:621): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:622): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:623): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/inputrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  <no matches>
   ```
  
   * This bug makes `auditd` very difficult to use on Ubuntu: having the
  `auditd` package installed hides AVC events from the kernel log AND
  `ausearch` doesn't reveal them, making AppArmor events seemingly vanish
  unless you know where to look.
  
  [ Test plan ]
  
  # Install the relevant packages
  1. sudo apt install apparmor auditd
  
  # Run the reproducer
  2. aa-exec --profile=lsb_release bash # generates a ton of denials; see below:
  ```
  root@jammy-vm:~# aa-exec --profile lsb_release bash
  bash: /etc/bash.bashrc: Permission denied
  bash: /root/.bashrc: Permission denied
  bash-5.1#
  exit
  ```
  
  # Run `ausearch` and search for AVC events
  3. ausearch --message AVC
  
  3a. Unpatched package output (fail):
  ```
  root@jammy-vm:~# ausearch --message AVC
  <no matches>
  ```
  
  3b. Patched package output (success):
  ```
  root@jammy-vm:~# ausearch --message AVC
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:100): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:100): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c150 a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:100): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/nsswitch.conf" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:101): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:101): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c2ac a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:101): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/passwd" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  ( ...continues )
  ```
  
  [ Where problems could occur ]
  
   * Currently, all AppArmor events are treated as 'malformed' SELinux
  events when they are actually well-formed AppArmor events.
  
   * This patch modifies the filtration behavior of `ausearch` by making
  the `tclass` field optional, thus making AppArmor events be treated as
  well-formed SELinux events.
  
   * The regression risk with this patch is such that potentially well-
  formed events will be hidden by `ausearch` unintentionally, or truly
  malformed events will be allowed past the filter.
  
   * One major caveat is that regressions with respect to actual SELinux
  events are difficult to test on Ubuntu; some malformed SELinux events
- would potenitally be allowed through the filter with this patch.
+ would potentially be allowed through the filter with this patch, or
+ well-formed SELinux events hidden. This patch essentially trades
+ correctness in the AppArmor case for correctness in the SELinux case.
  
  [ Other info ]
  
   * Debian likely doesn't want this patch, as Debian officially won't be
  making any changes until upstream does [3].
  
-  * Upstream can't move the AppArmor event id to the `1500` range any
- time soon. AppArmor was moved to the `1400` range to align with the
- Linux kernel LSM infrastructure [2]
+  * Upstream `audit` can't move the AppArmor event id to the `1500` range
+ any time soon. AppArmor was moved to the `1400` range to align with the
+ Linux kernel LSM infrastructure [2].
  
   * This patch comes from SUSE; they've been carrying it for well over a
  decade [4], and they seem to still be carrying it even after switching
  to SELinux by default [5].
  
  Targeted releases: All currently supported releases and all releases
  moving forward until AppArmor moves back to the `1500` event range.
  
  [1] Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726
  [2] AA using 1400 reason: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#39
  [3] Debian `wontfix` closure: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#88
  [4] SUSE KB: 
https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US
  [5] SUSE Patch: 
https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch
  
  [ Original bug (for posterity after over a decade) ]
  
  The following command should display all AVC denials:
  
  ausearch -m avc
  
  However, it doesn't work with AppArmor denials. Here's a quick test case
  to generate a denial, search for it with ausearch, and see that no
  messages are displayed:
  
  $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
  cat: /proc/self/attr/current: Permission denied
  $ sudo ausearch -m avc -c cat
  <no matches>
  
  ausearch claims that there are no matches, but there's a matching audit
  message if you look in audit.log:
  
  type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
  operation="open" parent=8253 profile="/usr/sbin/tcpdump"
  name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
  denied_mask="r" fsuid=1000 ouid=1000

** Description changed:

  [ Impact ]
  
   * The following command should display all AppArmor AVC events:
  `ausearch --message AVC`; however, it doesn't work:
  
  ```
  yachie@virtual:/etc/apparmor.d$ ausearch --message AVC
  <no matches>
  ```
  
   * Users currently must inspect `/var/log/audit.log` to find the missing
  AppArmor AVC events:
  
  ```
  yachie@virtual:/etc/apparmor.d$ sudo cat /var/log/audit.log
  type=AVC msg=audit(1774470501.870:1117918): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009624/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  type=AVC msg=audit(1774470501.927:1117919): apparmor="DENIED" 
operation="open" class="file" profile="rsyslogd" name="/proc/2009636/cmdline" 
pid=106062 comm="in:imuxsock" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
FSUID="root" OUID="root"
  ```
  
   * The root cause is that `ausearch` is checking for a `tclass` field in
  the AppArmor events, because AppArmor is using event id `1400` (assigned
  to SELinux) instead of `1500`.
  
   * AppArmor events don't have a `tclass` field, so `ausearch` treats
  every AppArmor event as 'malformed' and hides them. We can reveal the
  'malformed' events with the `--debug` flag:
  
   ```
  yachie@virtual:~$ ausearch --message AVC --debug
  ( ... a ton of unrelated events ... )
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.176:616): 
apparmor="AUDIT" operation="change_onexec" class="file" info="change_profile 
unprivileged unconfined converted to stacking" profile="unconfined" 
name="lsb_release" pid=5443 comm="aa-exec"
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:617): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/nsswitch.conf" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:618): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/passwd" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:619): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/bash.bashrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:620): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bashrc" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:621): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:622): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/home/yachie/.bash_history" pid=5443 comm="bash" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000
  Malformed event skipped, rc=9. type=AVC msg=audit(1776888566.177:623): 
apparmor="DENIED" operation="open" class="file" profile="lsb_release" 
name="/etc/inputrc" pid=5443 comm="bash" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
  <no matches>
   ```
  
   * This bug makes `auditd` very difficult to use on Ubuntu: having the
  `auditd` package installed hides AVC events from the kernel log AND
  `ausearch` doesn't reveal them, making AppArmor events seemingly vanish
  unless you know where to look.
  
  [ Test plan ]
  
  # Install the relevant packages
  1. sudo apt install apparmor auditd
  
  # Run the reproducer
  2. aa-exec --profile=lsb_release bash # generates a ton of denials; see below:
  ```
  root@jammy-vm:~# aa-exec --profile lsb_release bash
  bash: /etc/bash.bashrc: Permission denied
  bash: /root/.bashrc: Permission denied
  bash-5.1#
  exit
  ```
  
  # Run `ausearch` and search for AVC events
  3. ausearch --message AVC
  
  3a. Unpatched package output (fail):
  ```
  root@jammy-vm:~# ausearch --message AVC
  <no matches>
  ```
  
  3b. Patched package output (success):
  ```
  root@jammy-vm:~# ausearch --message AVC
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:100): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:100): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c150 a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:100): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/nsswitch.conf" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  time->Tue Jul 14 21:03:18 2026
  type=PROCTITLE msg=audit(1784062998.789:101): proctitle="bash"
  type=SYSCALL msg=audit(1784062998.789:101): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f6a7274c2ac a2=80000 a3=0 items=0 ppid=562 
pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" 
subj=lsb_release key=(null)
  type=AVC msg=audit(1784062998.789:101): apparmor="DENIED" operation="open" 
profile="lsb_release" name="/etc/passwd" pid=3449 comm="bash" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  ----
  ( ...continues )
  ```
  
  [ Where problems could occur ]
  
   * Currently, all AppArmor events are treated as 'malformed' SELinux
  events when they are actually well-formed AppArmor events.
  
   * This patch modifies the filtration behavior of `ausearch` by making
  the `tclass` field optional, thus making AppArmor events be treated as
  well-formed SELinux events.
  
   * The regression risk with this patch is such that potentially well-
  formed events will be hidden by `ausearch` unintentionally, or truly
  malformed events will be allowed past the filter.
  
   * One major caveat is that regressions with respect to actual SELinux
  events are difficult to test on Ubuntu; some malformed SELinux events
  would potentially be allowed through the filter with this patch, or
  well-formed SELinux events hidden. This patch essentially trades
- correctness in the AppArmor case for correctness in the SELinux case.
+ correctness in the SELinux case for correctness in the AppArmor case.
  
  [ Other info ]
  
   * Debian likely doesn't want this patch, as Debian officially won't be
  making any changes until upstream does [3].
  
   * Upstream `audit` can't move the AppArmor event id to the `1500` range
  any time soon. AppArmor was moved to the `1400` range to align with the
  Linux kernel LSM infrastructure [2].
  
   * This patch comes from SUSE; they've been carrying it for well over a
  decade [4], and they seem to still be carrying it even after switching
  to SELinux by default [5].
  
  Targeted releases: All currently supported releases and all releases
- moving forward until AppArmor moves back to the `1500` event range.
+ moving forward until AppArmor moves back to the `1500` event range or
+ Ubuntu switches to SELinux by default.
  
  [1] Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726
  [2] AA using 1400 reason: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#39
  [3] Debian `wontfix` closure: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872726#88
  [4] SUSE KB: 
https://support.scc.suse.com/s/kb/audit-log-file-that-has-the-apparmor-AVC-entries-that-ausearch-can-t-read-1583239408721?language=en_US
  [5] SUSE Patch: 
https://build.opensuse.org/projects/security/packages/audit/files/audit-ausearch-do-not-require-tclass.patch
  
  [ Original bug (for posterity after over a decade) ]
  
  The following command should display all AVC denials:
  
  ausearch -m avc
  
  However, it doesn't work with AppArmor denials. Here's a quick test case
  to generate a denial, search for it with ausearch, and see that no
  messages are displayed:
  
  $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current
  cat: /proc/self/attr/current: Permission denied
  $ sudo ausearch -m avc -c cat
  <no matches>
  
  ausearch claims that there are no matches, but there's a matching audit
  message if you look in audit.log:
  
  type=AVC msg=audit(1360193426.539:64): apparmor="DENIED"
  operation="open" parent=8253 profile="/usr/sbin/tcpdump"
  name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r"
  denied_mask="r" fsuid=1000 ouid=1000

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1117804

Title:
  ausearch doesn't show AppArmor denial messages

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to