patch update to ~51
Steve Grubb
sgrubb at redhat.com
Thu Jun 2 13:28:54 UTC 2005
On Thursday 02 June 2005 08:43, David Woodhouse wrote:
> This is the case when you have a watch on a file but the _directory_ in
> which that file resides has disappeared -- implying that the file itself
> is actually already gone.
I don't think this matters. If you set a rule, shouldn't it exist until
deleted? Imagine the fun if iptables deleted rules when you take an interface
down and up. Also, how do you apply rules to files before mounting a
partition so there are no races?
I would imagine that the file system auditing would hook mount, mkdir, open, &
rename to see if a watch on the global list can be enabled. umount, rmdir,
unlink, rename would keep the rule on the global list, but possibly disable
it from triggering. This would follow the principal of least surprise.
-Steve
More information about the Linux-audit
mailing list