From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tony Jones <tonyj@suse.de>
Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for
	AppArmor events that exist in the log
Date: Mon, 02 Jun 2014 18:00:54 -0700
Message-ID: <538D1E46.9040909@suse.de>
References: <53866422.5010709@suse.de> <20140529083152.GA18710@boyd>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20140529083152.GA18710@boyd>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Tyler Hicks <tyhicks@canonical.com>
Cc: wpreston@suse.com, linux-audit@redhat.com, seth.arnold@canonical.com
List-Id: linux-audit@redhat.com

On 05/29/2014 01:31 AM, Tyler Hicks wrote:

> I'm surprised that this patch makes ausearch work correctly for AppArmor
> AVC events. The first thing that parse_avc() does is look for the
> "avc: " term in the AVCs that SELinux generates. AppArmor's AVCs don't
> include that string, so an.avc_result and an.avc_perm would not be set,
> would they?

That patch does "work" (tested w/ svn trunk).   After I read your comment I looked at the code and I was confused also as 'avc_result == AVC_UNSET' but find_avc() which checks against UNSET isn't being called,  rather the record gets selected for output by 'n = list_get_cur(l)' [ausearch-match.c:113].     I would need to spend more time to fully understand what is happening in the code.

$ cat log
type=AVC msg=audit(1390876383.602:15646): apparmor="DENIED" operation="open" parent=21147 profile="/tmp/ls" name="/var/log/audit/" pid=21598 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1390936201.188:15647): apparmor="ALLOWED" operation="file_lock" parent=7873 profile="/usr/sbin/sshd" name="/tmp/pam_krb5_tmp_FqhNDa" pid=7875 comm="sshd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0

$ /tmp/audit/sbin/ausearch -m AVC -if ./log
----
time->Mon Jan 27 18:33:03 2014
type=AVC msg=audit(1390876383.602:15646): apparmor="DENIED" operation="open" parent=21147 profile="/tmp/ls" name="/var/log/audit/" pid=21598 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
----
time->Tue Jan 28 11:10:01 2014
type=AVC msg=audit(1390936201.188:15647): apparmor="ALLOWED" operation="file_lock" parent=7873 profile="/usr/sbin/sshd" name="/tmp/pam_krb5_tmp_FqhNDa" pid=7875 comm="sshd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0


Without patch,  ausearch just outputs "<no matches>"

tony