[RFC] Testcase Scenarios for Auditfs Code

Stephen Smalley sds at tycho.nsa.gov
Thu Apr 28 19:12:04 UTC 2005


On Thu, 2005-04-28 at 15:03 -0400, Stephen Smalley wrote:
> What concerns me is unclear/unstable semantics and a lack of a clear
> subdivision between this mechanism and the inode-based syscall filters:
> - Auditing may or may not be preserved on hard links when using the
> watches depending on memory pressure, reboots, or whether the watched
> name is unlinked; is always preserved for inode-based watches.
> - Auditing is never preserved for renames when using the watches; is
> always preserved for inode-based watches.
> - Auditing is automatically enabled for new files when they are created
> in watched locations when using watches; requires userspace modification
> to achieve with inode-based watches.

Sorry, terminology error - s/inode-based watches/inode-based syscall
filters/g

-- 
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency




More information about the Linux-audit mailing list