Re: Logging failed open() calls on /var/log/audit/audit.log
Timothy R. Chavez wrote: [Tue Jun 27 2006, 05:32:46PM EDT]
Maybe because you're executing in the system-call attempting the
access
of audit.log and it's in this context the permissions to do so are
checked. Been awhile, but looking at fs/open.c:do_sys_open, should
there be an fsnotify_open() hook in the error path as well?
That wouldn't help. If do_filp_open() returns an error, we don't have
an inode for the filename the user wanted to open. So we don't have
any additional information to give the hook other than what audit has
already collected.