[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: patch update to ~51

On Thursday 02 June 2005 09:39, David Woodhouse wrote:
> What you suggest would require a complete redesign, and I don't see a
> way of doing it that would have any chance of being acceptable
> upstream.

I checked. It seems like you cannot set watches on an umounted drive and then 
mount it. So, there's no race-free way of setting watches before mounting. 
Watches that are set and then the partition is unmounted & mounted survive.

Watches set on a file within a directory that gets renamed are deleted even 
though the inode is the same:

[root endeavor ~]# auditctl -w /mnt/target/etc/passwd -k test -p rwea
No rules
AUDIT_WATCH_LIST: dev=3:9, path=/mnt/target/etc/passwd, filterkey=test, 
perms=rwea, valid=0
[root endeavor ~]# ls -i /mnt/target/etc/passwd
393220 /mnt/target/etc/passwd
[root endeavor ~]# mv /mnt/target/etc/ /mnt/target/old-etc
[root endeavor ~]# auditctl -l
No rules
No watches
[root endeavor ~]# ls -i /mnt/target/old-etc/passwd
393220 /mnt/target/old-etc/passwd

I don't think this is expected behavior and will lead to bug reports. What's a 
system admin supposed to do? Take a snapshot of the rules at boot and diff 
the current rules with snapshot to see what needs reapplying?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]