From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tony Jones <tonyj@suse.de>
Subject: Re: [PATCH] userspace: audit: ausearch doesn't return entries for
	AppArmor events that exist in the log
Date: Tue, 03 Jun 2014 09:34:25 -0700
Message-ID: <538DF911.9010807@suse.de>
References: <53866422.5010709@suse.de> <20140529083152.GA18710@boyd>
	<538D1E46.9040909@suse.de> <1418765.RMuE53Kd9z@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1418765.RMuE53Kd9z@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: wpreston@suse.com, linux-audit@redhat.com, seth.arnold@canonical.com
List-Id: linux-audit@redhat.com

On 06/03/2014 07:47 AM, Steve Grubb wrote:
> Yep. So, the question is really how to fix this. Should we have a different 
> function that is swung in with #ifdef WITH_APPARMOR called parse_aa_avc? Then 
> it can be tuned exactly for AppArmor's needs? Later, the kernel event number 
> can be changed and the switch/case can pick that up. Also, are there other AA 
> events that are missing in action? The ausearch-test should tell you.

We'll take the patch (locally) for SLES.  Seems to me, since there really isn't any AppArmor awareness in audit at present that the AppArmor developers 
may as well fix the kernel event numbering first,  audit userspace after that .... anyhow, I see no point considering the previous patch for upstreaming.

Thanks

Tony