https://bugzilla.novell.com/show_bug.cgi?id=275675 Summary: aa-eventd not fitting to log messages of kernel Product: openSUSE 10.3 Version: Alpha 4 Platform: i586 OS/Version: openSUSE 10.3 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: dreynolds@novell.com ReportedBy: ulrich@holeschak.de QAContact: dreynolds@novell.com I am using kernel kernel-2.6.21-8 and apparmor-utils-2.0.2-6 The new apparmor kernel generates audit messages like: type=APPARMOR msg=audit(1179416694.112:68): REJECTING r access to /home/ulrich/program (5011 profile /home/ulrich/program active /home/ulrich/program) aa-eventd tells that this message is unhandled in /var/log/apparmor/event-dispatch.log Reason: the program name is not present any more in the new audit message format. With the following patch it's at least possible to handle the messages again (But i don't know if handling is correct in all cases). Since the program name is missing now in the log i have subsituted it by the profile name ... --- /home/ulrich/archive/apparmor/aa-eventd 2007-05-17 11:18:19.000000000 +0200 +++ /usr/sbin/aa-eventd 2007-05-17 18:59:28.000000000 +0200 @@ -454,8 +454,9 @@ $mesg =~ s/%%/%/g; } - if ($mesg =~ /(PERMITTING|REJECTING|AUDITING) (\S+) access to (.+?) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $mode, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + if ($mesg =~ /(PERMITTING|REJECTING|AUDITING) (\S+) access to (.+?) \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $mode, $resource, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -493,8 +494,9 @@ push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ]; $inserts++; - } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) link access from (.+?) to (.+?) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $link, $target, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) link access from (.+?) to (.+?) \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $link, $target, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -531,8 +533,9 @@ push @commit_buffer, [ "link", $timestamp, $counter, $profile, $sdmode, $link, $target, $prog, $pid, $severity ]; $inserts++; - } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) attribute \((\S*)\) change to (.+)? \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $attrch, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) attribute \((\S*)\) change to (.+)? \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $attrch, $resource, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -569,8 +572,9 @@ push @commit_buffer, [ "chattr", $timestamp, $counter, $profile, $sdmode, $resource, $attrch, $prog, $pid, $severity ]; $inserts++; - } elsif (m/(PERMITTING|REJECTING) (?:mk|rm)dir on (.+) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + } elsif (m/(PERMITTING|REJECTING) (?:mk|rm)dir on (.+) \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $resource, $pid, $profile, $hat) = ($1, $2, $3, $4, $5); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -609,8 +613,9 @@ push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ]; $inserts++; - } elsif (/(PERMITTING|REJECTING) xattr (\S+) on (.+) \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $xattr_op, $resource, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + } elsif (/(PERMITTING|REJECTING) xattr (\S+) on (.+) \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $xattr_op, $resource, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -655,8 +660,9 @@ push @commit_buffer, [ "path", $timestamp, $counter, $profile, $sdmode, $mode, $resource, $prog, $pid, $severity ]; $inserts++; - } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to capability '(.+?)' \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $capability, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to capability '(.+?)' \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $capability, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; @@ -727,8 +733,9 @@ push @commit_buffer, [ "changing_profile", $timestamp, $counter, "null-complain-profile", "PERMITTING", $pid ]; $inserts++; - } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to profile replacement \((\S+)\((\d+)\) profile (\S+) active (\S+)\)/) { - my ($sdmode, $prog, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6, $7); + } elsif ($mesg =~ /(PERMITTING|REJECTING|AUDITING) access to profile replacement \((\d+) profile (\S+) active (\S+)\)/) { + my ($sdmode, $pid, $profile, $hat) = ($1, $2, $3, $4, $5, $6); + my $prog = $profile; $profile .= "^$hat" if $profile ne $hat; -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.