I might need your help with one issue I've encountered. I'm running Debian with the 4.9.20 kernel.
I've compiled the kernel with the options for AppArmor enabled. The installed AppArmor version is the 2.10.95 (auditd is also installed in version 1:2.4-1+b1).
## Kernel Options ##
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_DEFAULT_SECURITY_APPARMOR=y
CONFIG_DEFAULT_SECURITY="apparmor"
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
CONFIG_AUDIT=y
## ##
AppArmor itself is working without any issues. If profile is set to enforce mode, then any not allowed operation is being blocked and logged accordingly.
The problem I'm facing now is that AppArmor is not logging anything in complain mode, which makes it very difficult to create a new profile for applications. The strange thing is, that all actions get logged in enforce mode perfectly... (e.g. Apr 17 14:21:56 localhost kernel: [ 2913.082774] audit: type=1400 audit(1492435316.208:54): apparmor="DENIED" operation="open" profile="/usr/sbin/nginx" name="/etc/nginx/nginx.conf" pid=4260 comm="nginx" requested_mask="r" denied_mask="r" fsuid=0 ouid=0)
Does anyone have a cloue what's wrong?
I'd be greateful for any hints.
Kind regards,
Viktor
