[RFC][PATCH] (#6) filesystem auditing

[Stephen Smalley]

Ok, why doesn't the following trigger any audit messages:

# ./auditctl -w /etc/shadow
AUDIT_WATCH : INSERT : SUCCESS

$ passwd
Changing password for user sds.
Changing password for sds
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

/etc/shadow was re-created by this transaction.

I did see debugging messages about pushing and popping data on the cache stack.

-- 
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency