[pkg-apparmor] Bug#872726: linux: apparmor doesn't use proper audit event ids
Laurent Bigonville
bigon at debian.org
Sun Aug 20 14:42:55 UTC 2017
Source: linux
Version: 4.12.6-1
Severity: normal
Hi,
Currently the code in the kernel is not using the expected audit event
ids (it's using the one allocated to SELinux, 1400 to 1499) when it's
logging its messages (denials,...).
This has been discussed on the linux-audit back to 2014 and again in
2016, but it seems that nothing has moved. This makes auseach and other
audit tools not list these messages as they are seen as invalids.
Upstream of the audit framework insists that AppArmor should use
events ids from the range that has been allocated to them (1500-1599).
AFAIKS, the apparmor userspace is already supporting messaging from both
ranges (would be nice if this was confirmed).
IMVHO, in regard to the recent proposal of enabling apparmor in debian
by default, this needs to be addressed first.
Regards,
Laurent Bigonville
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.12.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
More information about the pkg-apparmor-team
mailing list