I am looking for a way to easily reverse a single line from /var/log/syslog reported by AppArmor for a profile in complain mode. I have seen that using aa-genprof that it uses what is reported to the syslog to help generate rules. For the most part I have been able to hand write my rules to allow what is needed but I am now stuck with these two lines from my syslog:
[88529.103991] audit: type=1400 audit(1414408592.500:5298): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="docker-das" name="/var/lib/docker/btrfs/" pid=9289 comm="docker" srcname="/var/lib/docker/btrfs/" flags="rw, bind"
[88529.104010] audit: type=1400 audit(1414408592.500:5299): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="docker-das" name="/var/lib/docker/btrfs/" pid=9289 comm="docker" flags="rw, private"
I have tried adding the following line (and several variants while fiddling) to my docker-das profile but to no avail:
mount fstype=btrfs -> /var/lib/docker/btrfs/
The only reason I can see that this wouldn't work is that comm is equal to docker as opposed to mount (which it is when using native mount commands).
Unfortunately I can't seem to get aa-genprof to be of any help (I believe due to the profile having a non standard name) and the AppArmor documentation (although helpful now I have found the right page in their wiki) is a mess.
If there is an easy way of generating the required line then that would be great knowledge to have, otherwise, can anyone see what is wrong with the rule or work out what rule I need to allow the mounts shown in the logs. What I would like is to have the strongest match for a log line so that then I can decide which parts aren't necessary.
