aa-log should output the "target" as well #168
Closed
curiosityseeker
started this conversation in
Ideas
Replies: 1 comment 2 replies
-
|
This is a very good point, I will add the target to the output of aa-log |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
Implemented in 32164f6 |
Beta Was this translation helpful? Give feedback.
-
|
Very cool - and now even with |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I've come across several cases where aa-log (or aa-logprof) didn't help creating a correct rule by not presenting the "target" in /var/log/audit/audit.log. Example:
In aa-log I got the following message:
ALLOWED akonadi_maildispatcher_agent link /home/bob/.config/akonadi/agent_config_akonadi_maildispatcher_agent.CmJRGE comm=akonadi_maildis requested_mask=k denied_mask=k class=filealthough the rule
owner @{user_config_dirs}/akonadi/agent_config_akonadi_maildispatcher_agent* rwkl,is present.
In /var/log/audit/audit.log I found the following entry:
type=AVC msg=audit(1686490443.971:4166): apparmor="ALLOWED" operation="link" class="file" profile="akonadi_maildispatcher_agent" name="/home/bob/.config/akonadi/agent_config_akonadi_maildispatcher_agent.CmJRGE" pid=19277 comm="akonadi_maildis" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 target="/home/bob/.config/akonadi/#3029891"�FSUID="bob" OUID="bob"The "target" suggested that changing the rule
owner @{user_config_dirs}/akonadi/#[0-9]* rw,to
owner @{user_config_dirs}/akonadi/#[0-9]* rwk,would solve the problem. And it did, indeed.
So I suggest that aa-log should output the "target" if it exists in the log file as this makes it easier to solve these kinds of problems.
Beta Was this translation helpful? Give feedback.
All reactions