Fwd: Possible regression
---------- Forwarded message ----------
From: 4javier <4javiereg4(a)gmail.com>
Date: 2011/6/2
Subject: Re: Possible regression
To: Steve Grubb <sgrubb(a)redhat.com>
root@Archbox /home/javier $ touch /tmp/test
root@Archbox /home/javier $ cat /tmp/test
root@Archbox /home/javier $ auditctl -w /tmp/test -p wa
root@Archbox /home/javier $ echo ppp >> /tmp/test
root@Archbox /home/javier $ cat /tmp/test
ppp
root@Archbox /home/javier $ ausearch -i -f /tmp/test
<no matches>
root@Archbox /home/javier $ auditctl -l
LIST_RULES: exit,always watch=/tmp/test perm=wa
root@Archbox /home/javier $ echo ppp > /tmp/test
root@Archbox /home/javier $ ausearch -i -f /tmp/test
<no matches>
root@Archbox /home/javier $ ausearch -f /tmp/test
<no matches>
As you can see from auditcrl -l output, rule seems to be correctly set, but
ausearch doesn't show anything.
2011/6/2 Steve Grubb <sgrubb(a)redhat.com>
On Thursday, June 02, 2011 09:45:38 AM you wrote:
> you're right...sorry for my fault...
> I didn't use the -a switch. I read the man, but I cannot understand how
> this settings is able to fix the problem with O_CREAT.
> Could you explain that to me, please?
As far as I know, the problem was fixed in 2006 and there has been no
regression. The -
w command is translated into -a always,exit -F path= under the hood. Its
been this way
since watches were deprecated around 2005/2006.
How were you testing? You might have found a bug and I just don't know how
to
reproduce it.
-Steve
Attachments:
- attachment.html (text/html — 2.1 KB)