touch-packages team mailing list archive

[Launchpad Bug Tracker <1432350@xxxxxxxxxxxxxxxxxx>]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: apparmor (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1432350

Title:
  aa-logprof and aa-genprof work only with audit.log not syslog

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 14.10

  apparmor 2.8.98-0ubuntu2

  Analyzing the logs with aa-logprof works when the logs are written by
  audid:

  # aa-logprof -f /var/log/audit/audit.log 
  Reading log entries from /var/log/audit/audit.log.
  Updating AppArmor profiles in /etc/apparmor.d.
  Complain-mode changes:
  WARN: unknown capability: CAP_setgid

  Profile:    /usr/sbin/havp
  Capability: setgid
  Severity:   unknown

   [1 - #include <abstractions/dovecot-common>]
    2 - #include <abstractions/postfix-common> 
    3 - capability setgid 
  [(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish

  
  It does not work when the logs are written to /var/log/syslog
  root@apparmor:~# aa-logprof 
  Reading log entries from /var/log/syslog.
  Updating AppArmor profiles in /etc/apparmor.d.

  One contained message:
  Mar 15 13:20:07 test kernel: [ 3349.757377] audit: type=1400 audit(1426422007.555:122): apparmor="DENIED" operation="unlink" profile="/usr/sbin/havp" name="/run/havp/havp.pid" pid=10888 comm="havp" requested_mask="d" denied_mask="d" fsuid=109 ouid=109

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1432350/+subscriptions