capability is reported by LSM_AUDIT and is just the capability number.
capname is reported by the apparmor module and is the name the kernel
knows the capability as.
For now just use capname and silently drop capability when it is found.
https://bugs.launchpad.net/apparmor/+bug/623467
This patch adds some additional testcases to the log parsing
testsuite, to cover rejections for operations that aren't covered by
other testcase (truncate, rename_src, rename_dest, mkdir) as well
as fixing SubDomain.pm to take those operations into account when
parsing log files.
The operations link, unlink, and possibly setattr still need to be
covered by SubDomain.pm
These replacement routines allow an application to avoid the probing
behavior of earlier version of change_hat. Allowing them to be faster
and have better learning characteristics.
Acked-By: Steve Beattie <steve@ubuntu.com>
Ref: https://bugs.launchpad.net/bugs/431929
Parse log entries containing an ouid.
(I added a testcase to Marc's fix.)
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
The format of audit messages that are redirected to syslog because
auditd isn't running changed between Hardy and Intrepid and now have
the type=NNNN field before the audit tag like--
Nov 1 22:24:43 box kernel: [ 158.113592] type=1503
audit(1225603483.635:5): operation="inode_permission" requested_mask="r::"
denied_mask="r::" fsuid=7 name="/proc/7034/net/" pid=7034
profile="/usr/sbin/cupsd"
I believe this patch will address the moved type=NNNN field as well as
capturing non-matching logfile input instead of printing it to stdout.
Patch modified by Steve Beattie <sbeattie@ubuntu.com> to take into
account a couple of different situations.
https://bugs.launchpad.net/bugs/271252https://bugzilla.novell.com/show_bug.cgi?id=441381
