Re: [RFC][PATCH] (#6 U1) the latest incarnation

On Thu, 2005-03-24 at 14:32 -0500, Stephen Smalley wrote: > Ok, I see what is happening. You call audit_attach_watch() from d_move, > but you will never hit an audit_notify_watch(), hence no audit data upon > renames until a subsequent write to the existing file (which never > happens for /etc/shadow, as it is always re-created and renamed for each > transaction). So a natural question is what else should be calling > audit_notify_watch besides permission, exec_permission_lite, and > may_delete? d_move? may_create? I suppose may_create() won't help you, as the child has a negative dentry at that point so you have no inode. You will have an inode upon the subsequent d_instantiate, but can't tell that you are dealing with a "just created" inode versus an already existing one, so you won't know that you need to notify of a create. So you are back to post-create style hooks for calling audit_notify_watch for file creations, right?