http://bugzilla.novell.com/show_bug.cgi?id=546618 Summary: logprof/genprof don't work - changed audit.log format Classification: openSUSE Product: openSUSE 11.2 Version: Milestone 8 Platform: Other OS/Version: All Status: NEW Severity: Critical Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: suse-beta@cboltz.de QAContact: qa@suse.de Found By: Beta-Customer (using 11.2 M8 + packages from http://ftp.suse.com/pub/people/jeffm/suse/testpkgs/540525) logprof and genprof don't add anything to the profile - for me their behaviour looks as if they would read /dev/null instead of /var/log/audit/audit.log :-( # LANG=C aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. # (end) I _have_ several lines in audit.log that should cause logprof to ask what to do with these events. The same happens with genprof - it just creates a very small default profile, but does not ask about any of the entries in audit.log. I doubt logprof and genprof really read from /dev/null, so there must be something else. I just compared the audit.log from 11.1 and 11.2. Here are example lines for each: 11.1 type=APPARMOR_AUDIT msg=audit(1255458551.064:476442): operation="file_permission" requested_mask="::w" fsuid=30 name="/home/www/some.host/some.file" pid=2484 parent=20025 profile="/usr/sbin/httpd2-prefork//HANDLING_UNTRUSTED_INPUT" 11.2 type=APPARMOR_ALLOWED msg=audit(1255457955.497:218): operation="file_perm" pid=11537 parent=11536 profile="/home/sys-tmp/test//null-2d" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/home/sys-tmp/test2" -> the log format has changed! - different order (pid and parent are now after operation, requested_mask and denied_mask are now after profile, ouid added, ...) - different keywords for operation (file_permissions vs. file_perm, new(?) keyword "open", ...) - the //null-2d hat in the 11.2 log line looks also new to me - maybe other changes Please update logprof and genprof to understand the new log format. BTW: To verify this, I copied a audit.log from 11.1 to my 11.2 system - logprof started to ask the usual questions when given this log. So the bug here is really caused by the log format change. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.