[RFC PATCH] audit: correctly record file names with different path name types
Paul Moore
pmoore at redhat.com
Wed Dec 3 21:27:34 UTC 2014
On Wednesday, December 03, 2014 09:54:10 AM hujianyang wrote:
> On 2014/12/3 0:02, Paul Moore wrote:
> > First, could you provide the /etc/audit/auditd.conf and
> > /etc/audit/audit.rules files you used for your testing? I don't
> > understand configuration script/language you used above.
>
> /etc/audit/audit.conf
>
> #
> # This file controls the configuration of the audit daemon
> #
... {snip} ...
> /etc/audit/audit.rules:
>
> # This file contains the auditctl rules that are loaded
> # whenever the audit daemon is started via the initscripts.
> # The rules are simply the parameters that would be passed
> # to auditctl.
... {snip} ...
I setup my system using your configuration and the system booted and ran the
regression test described in the patch description without problem. I know of
at least one other person that has tested this patch without problem as well.
> > Second, I tested the patch against the audit tree's stable-3.18 branch,
> > could you (re)test against 3.18-rcX instead of 3.10.X? There have been a
> > number of changes to the audit subsystem since 3.10 was released and it
> > would surprise me if the patch I posted has problems on 3.10.X.
> >
> > * git://git.infradead.org/users/pcmoore/audit stable-3.18
>
> Sorry, my testing environment is built on a embedded arm device. Changing
> kernel version need lots of changes for device driver which is beyond my
> ability.
I know that many embedded systems include several kernel patches that deviate
from the upstream sources (device drivers, etc.), is that the case with your
system?
> I wish you could implement my configuration on your environment and test
> if it's OK. After that, we can list the changes from 3.10 stable to 3.18
> stable.
I did test your configuration, without problem. I suspect there is some sort
of conflict between the patch and one of the kernel patches in your system.
Is there any chance you can debug the problem you saw?
I'm going to remove the CC:stable from the patch description to be safe, but
as of right now I think it is reasonable to include the patch in the audit
next branch.
--
paul moore
security and virtualization @ redhat
More information about the Linux-audit
mailing list