https://bugzilla.novell.com/show_bug.cgi?id=480107 Summary: Apparmor logs events for "deny" rules in enforce mode Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: suse-beta@cboltz.de QAContact: qa@suse.de Found By: --- The latest kernel update (kernel-default-base-2.6.27.18-0.2.1) fixed bug 426159, but brought a small new bug: AppArmor logs events that are covered by "deny" rules in enforce mode. The expected behaviour is: - do not log events caused by "deny" rules in enforce mode, except if "audit deny" is used. This expected behaviour is also documented in http://en.opensuse.org/AppArmor/Changes_AppArmor_2_3#Deny_rules - IMHO: log everything in complain mode, even if a deny rule exists. Reasons: - in complain mode, deny rules don't really deny anything (which is a good thing[tm]), so the admin should be aware of what happens - hey, it's a learning mode ;-) The good thing is that logprof does not ask for these events, but at least they clutter up the audit.log. If you need a reproducer, you can use my test script and profile from bug 426159 - just put it into enforce mode and watch audit.log. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.