[Apparmor-general] My AA is loging to syslog instead of /var/log/audit/audit.log

[Carlos E. R.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Hi,

I was tuning the syslog profile, when suddenly errors stopped going to 
/var/log/audit/audit.log, and the wizard said there were no errors logged: 
I had to put my profile in complain mode instead of enforce.

Hours later I noticed that the errors are being logged to the kernel 
syslog instead.

I have not changed the global configuration:

- -rw-r----- 1 root root 373 Sep 21 23:51 /etc/audit/audit.rules
- -rw-r----- 1 root root 448 Sep 21 23:51 /etc/audit/auditd.conf

- -rw-r--r-- 1 root root  3868 Sep 22 00:05 /etc/apparmor/logprof.conf
- -rw-r--r-- 1 root root     0 Jan 31 02:05 /etc/apparmor/notify.cfg
- -rw-r--r-- 1 root root   955 Sep 16 23:16 /etc/apparmor/reports.conf
- -rw-r--r-- 1 root root   179 Sep 16 23:16 /etc/apparmor/reports.crontab
- -rw------- 1 root root    44 Dec 24 00:39 /etc/apparmor/repository.conf
- -rw-r--r-- 1 root root 10398 Sep 22 00:05 /etc/apparmor/severity.db
- -rw-r--r-- 1 root root  2032 Dec 20 00:15 /etc/apparmor/subdomain.conf


They are the original files... Only this one is changed, and is in 
complain mode

/etc/apparmor.d/sbin.syslog-ng:

#include <tunables/global>
/sbin/syslog-ng flags=(complain) {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>

   capability chown,
   capability dac_override,
   capability fowner,
   capability fsetid,

   /dev/log w,
   /dev/tty10 rw,
   /dev/xconsole rw,
   /etc/syslog-ng/* r,
   /sbin/syslog-ng mr,
   /usr/local/bin/syslog-askandlogrouterip rUx,
   /var/lib/*/dev/log w,
   /var/log/** w,
   /var/run/syslog-ng.pid w,
}




What did I do? What do I change now? The wizard doesn't work now :-/


- -- 
Cheers,
        Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFHomnNtTMYHG2NR9URAgtmAKCXHV5068YngtCXsygsvTqfSr8YFACeNK8F
1VvE6yVVhAxbKwd3UR4ztp0=
=NEJo
-----END PGP SIGNATURE-----