aa-log: incorrect reading from audit.log

[curiosityseeker]

After every reboot I get the following output from aa-log:

ALLOWED startplasma link owner @{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU -> @{user_cache_dirs}/#@{int} comm=startplasma-way requested_mask=k denied_mask=k

And consequently, aa-log -r reports:

profile startplasma {
  owner @{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU rk -> @{user_cache_dirs}/#@{int},
}

However, the relevant entry in audit.log looks like this:

847: apparmor="ALLOWED" operation="link" class="file" profile="startplasma" name="@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.isNSBz"  comm="startplasma-way" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 target="@{user_cache_dirs}/#@{int}" FSUID="seeker" OUID="seeker"
849: apparmor="ALLOWED" operation="link" class="file" profile="startplasma" name="@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.rSxlFV"  comm="startplasma-way" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 target="@{user_cache_dirs}/#@{int}" FSUID="seeker" OUID="seeker"

This means that aa-log is missing the ending =.@{rand6} part of ksycoca5_*. And this is probably the reason why this output pops up every time although the existing rule in the startplasma profile

owner @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int},

should actually already cover this issue.

[roddhjav]

Thanks for this catch. There is an issue in the way aa-log decodes the log. However, as you said, the rule is already present. This actually make me think of a similar problem in #208 (comment).