apparmor-notify issue

[subproc]

hi, it's not properly a bug, just i don`t know how to set up aa-notify correctly...

i`m in qubes 3.2, using a debian 9(stretch) template

Affected TemplateVMs:

debian 9, it's the only one in wich i`ve tried to set up apparmor

---

Steps to reproduce the behavior:

after following instruction to set up apparmor, like presented in the whonix wiki, i've installed apparmor-notify and activated with "sudo aa-notify -p"...all that in the debian 9 template...but if i start a vm based on that template, there's no notification by apparmor-notify...
but if i restart the daemon inside the vm tiping another time "sudo aa-notify -p" it start working and denied mesg starts appearing...
then if i stop the vm and restart it the same behavior appear, and i've to kill the "old " aa-notify daemon and restart the service tiping another time "sudo aa-notify -p"

Expected behavior:

having notification by aa-notify, starting a vm based on this template

Actual behavior:

no notification by aa-notify while the daemon is runnig

[subproc]

after a few hours playing around with aa-notify and reading better all the documentation related to apparmor-notify, found in the whonix doc/wiki/bugs/dev somewhere that patrick pointed out that aa-notify in stretch log denied mesg in /var/log/audit/audit.log, but i have no audit.log file...in my debian stretch template it logs to /var/log/kern.log and using "sudo tail -f /var/log/kern.log | grep --line-buffered DENIED" i can see all denied mesg aa-notify is loggin, and more, with a long delay on first mesg i have mesg appearing on my desktop...
so...
now i have a working aa-notify...
if someone want try to use apparmor in a debian stretch template with apparmor-notify, just
needs to
-install apparmor apparmor-notify apparmor-profiles apparmor-profiles-extra (better from stretch-backports repository),
-enable apparmor like explained in the whonix doc
-start the aa-notify daemon with "sudo aa-notify --poll --display $DISPLAY"
then enjoy...
just one thing i can`t understand...the delay on displaying desktop mesg (...in whonix they are istantaneous...)
If someone with more knowledge than me on apparmor has some other better solution or some tips please put a comment
otherwise this bug could be closed

[subproc]

after a few hours playing around with aa-notify and reading better all the documentation related to apparmor-notify, found in the whonix doc/wiki/bugs/dev somewhere that patrick pointed out that aa-notify in stretch log denied mesg in /var/log/audit/audit.log, but i have no audit.log file...in my debian stretch template it logs to /var/log/kern.log and using "sudo tail -f /var/log/kern.log | grep --line-buffered DENIED" i can see all denied mesg aa-notify is loggin, and more, with a long delay on first mesg i have mesg appearing on my desktop...
so...
now i have a working aa-notify...
if someone want try to use apparmor in a debian stretch template with apparmor-notify, just
needs to
-install apparmor apparmor-notify apparmor-profiles apparmor-profiles-extra (better from stretch-backports repository),
-enable apparmor like explained in the whonix doc
-start the aa-notify daemon with "sudo aa-notify --poll --display $DISPLAY"
then enjoy...
just one thing i can`t understand...the delay on displaying desktop mesg (...in whonix they are istantaneous...)
If someone with more knowledge than me on apparmor has some other better solution or some tips please put a comment
otherwise this bug could be closed

[andrewdavidwong]

Closing this as "resolved." If you believe the issue is not yet resolved, or if anyone is still affected by this issue, please leave a comment, and we'll be happy to reopen this. Thank you.

[andrewdavidwong]

Closing this as "resolved." If you believe the issue is not yet resolved, or if anyone is still affected by this issue, please leave a comment, and we'll be happy to reopen this. Thank you.