Comment 16 for bug 340183
Revision history for this message
| Steve Beattie (sbeattie) wrote Re: [Bug 340183] Re: aa-genprof creates empty profiles from /var/log/messages entries (works fine with auditd) | #16 |
On Sat, Mar 14, 2009 at 01:37:02PM -0000, Dariusz Suchojad wrote:
> apparmor | auditd | OK? |
> -------
> 2.3+1289-
> 2.3+1289-
Can you tell me where the above apparmor version came
from? I don't see it on the list of published packages at
https:/
> 2.3+1289-
> 2.3+1289-
> 2.3+1289-
Can you make sure you're updating libapparmor1 at the same time? As
that's where I believe the issue is located. IIRC, the packaging is set
up so that there is not a tight version dependency between the various
packages, and so upgrading the apparmor package won't pull in the
libapparmor1 update by default.
('dpkg -l "*apparmor*" auditd libaudit0' will report versions for all
the apparmor and audit packages installed.)
> What I don't understand is why aa-genprof doesn't mark the logs with a beginning
> marker to know where to start reading messages from? I.e. the first line in logs
> after starting aa-genprof is
>
> Mar 14 14:19:03 xerxes kernel: [ 2827.572460] type=1505
> audit(123703674
> name="/
>
> Shouldn't there always be a GenProf marker first?
You should see something like
Mar 14 11:13:56 jj-amd64 ubuntu: GenProf: 4995bc33fda53c4
in /var/log/messages, at least when auditd is not running.
Ah, I see one additional problem, if /var/log/
even if auditd is not running, genprof won't write the marker. Hrm.
--
Steve Beattie
<email address hidden>
http://