AppArmor

operation="connect" can be file socket or network - logparser.py only handles network

Bug #1472368 reported by Christian Boltz on 2015-07-07

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Invalid	Undecided	Unassigned

Bug Description

From bug 1466812 comment 14

audit: type=1400 audit(1436258489.774:2313141): apparmor="DENIED" operation="connect" profile="/usr/sbin/apache2" name="/run/mysqld/mysqld.sock" pid=24866 comm="apache2" requested_mask="wr" denied_mask="wr" fsuid=33 ouid=105

aa-logprof ignores this log entry because it assumes "connect" always means a network operation.

Some discussion on #apparmor brought up that "connect" can be a) network and b) file socket, so the tools are 50% correct ;-)

Tags:

Revision history for this message

Christian Boltz (cboltz) wrote on 2016-11-20:

I just re-tested - test_multi.multi says AA_RECORD_INVALID, so this is most probably a problem with libapparmor not recognizing the log format.

tags:

added: aa-parser

Revision history for this message

Christian Boltz (cboltz) wrote on 2020-04-19:

Just checked bug 1466812 comment 14 again, and it says "aa-logprof ignore that syslog entry."

Based on the KernLog.txt attached to that bugreport, my guess is that the pasted log was just shortened and originally probably was something like

Jun 19 11:27:18 piorun kernel: [4473098.373514] audit: type=1400 [...]

Based on that, I'll close this bug as invalid.

Changed in apparmor:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.