[Bug 546618] New: logprof/genprof don't work - changed audit.log format
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.novell.com/show_bug.cgi?id=546618 Summary: logprof/genprof don't work - changed audit.log format Classification: openSUSE Product: openSUSE 11.2 Version: Milestone 8 Platform: Other OS/Version: All Status: NEW Severity: Critical Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: suse-beta@cboltz.de QAContact: qa@suse.de Found By: Beta-Customer (using 11.2 M8 + packages from http://ftp.suse.com/pub/people/jeffm/suse/testpkgs/540525) logprof and genprof don't add anything to the profile - for me their behaviour looks as if they would read /dev/null instead of /var/log/audit/audit.log :-( # LANG=C aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. # (end) I _have_ several lines in audit.log that should cause logprof to ask what to do with these events. The same happens with genprof - it just creates a very small default profile, but does not ask about any of the entries in audit.log. I doubt logprof and genprof really read from /dev/null, so there must be something else. I just compared the audit.log from 11.1 and 11.2. Here are example lines for each: 11.1 type=APPARMOR_AUDIT msg=audit(1255458551.064:476442): operation="file_permission" requested_mask="::w" fsuid=30 name="/home/www/some.host/some.file" pid=2484 parent=20025 profile="/usr/sbin/httpd2-prefork//HANDLING_UNTRUSTED_INPUT" 11.2 type=APPARMOR_ALLOWED msg=audit(1255457955.497:218): operation="file_perm" pid=11537 parent=11536 profile="/home/sys-tmp/test//null-2d" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/home/sys-tmp/test2" -> the log format has changed! - different order (pid and parent are now after operation, requested_mask and denied_mask are now after profile, ouid added, ...) - different keywords for operation (file_permissions vs. file_perm, new(?) keyword "open", ...) - the //null-2d hat in the 11.2 log line looks also new to me - maybe other changes Please update logprof and genprof to understand the new log format. BTW: To verify this, I copied a audit.log from 11.1 to my 11.2 system - logprof started to ask the usual questions when given this log. So the bug here is really caused by the log format change. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.novell.com/show_bug.cgi?id=546618
User jeffm@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=546618#c1
Jeff Mahoney
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.novell.com/show_bug.cgi?id=546618
User suse-beta@cboltz.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=546618#c2
Christian Boltz
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.novell.com/show_bug.cgi?id=546618
User suse-beta@cboltz.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=546618#c3
--- Comment #3 from Christian Boltz
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.novell.com/show_bug.cgi?id=546618
User jeffm@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=546618#c4
Jeff Mahoney
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.novell.com/show_bug.cgi?id=546618
User swamp@suse.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=546618#c5
Swamp Workflow Management
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.novell.com/show_bug.cgi?id=546618
http://bugzilla.novell.com/show_bug.cgi?id=546618#c6
--- Comment #6 from Christian Boltz
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.novell.com/show_bug.cgi?id=546618
http://bugzilla.novell.com/show_bug.cgi?id=546618#c7
--- Comment #7 from Jeff Mahoney
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.novell.com/show_bug.cgi?id=546618
http://bugzilla.novell.com/show_bug.cgi?id=546618#c8
--- Comment #8 from Stephan Kleine
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c9
Andreas Schneider
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c10
--- Comment #10 from Jeff Mahoney
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c11
--- Comment #11 from Christian Boltz
I expect this to be fixed for 11.4 with the AppArmor 2.5 update.
Good to hear this :-) BTW: The GPG key of the security:apparmor:factory repo is expired. You should be able to extend it with osc signkey --extend -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c12
--- Comment #12 from Christian Boltz
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c13
--- Comment #13 from Jeff Mahoney
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c14
Jeff Mahoney
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c15
Christian Boltz
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c16
--- Comment #16 from Dirk Mueller
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c17
--- Comment #17 from Bernhard Wiedemann
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c18
Swamp Workflow Management
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c19
Swamp Workflow Management
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=546618
https://bugzilla.novell.com/show_bug.cgi?id=546618#c20
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com