From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tony Jones <tonyj@suse.de>
Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for
	AppArmor events that exist in the log
Date: Fri, 30 May 2014 17:01:39 -0700
Message-ID: <53891BE3.3060409@suse.de>
References: <53866422.5010709@suse.de> <31153503.SQnCbJNRtA@x2>
	<20140530201644.GA22335@boyd> <9810096.ghxOlbMYMG@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <9810096.ghxOlbMYMG@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, Tyler Hicks <tyhicks@canonical.com>
Cc: wpreston@suse.com, linux-audit@redhat.com, seth.arnold@canonical.com
List-Id: linux-audit@redhat.com

On 05/30/2014 02:00 PM, Steve Grubb wrote:

> This is a big mistake, IMHO. In theory, this is what should have happened:
>  An access decisionl event should have been named in the 1500 block. It would 
> then be free to include the field it needs in the order it needs. The ausearch 
> would get a function parse_aa_decision. That function would stuff a struct 
> specially tuned for AA usage. Aureport would gain a new report.

The very original AA submission logged everything from the kernel using AUDIT_AA which was defined in the submission as:

+#define AUDIT_AA 1500 /* AppArmor audit */

I'm not sure when the change was made to call common_lsm_audit() which logs as AUDIT_AVC. I agree with Steve, doesn't seem a good idea.

tony