another issue with Audit
Loulwa Salem
loulwas at us.ibm.com
Mon Apr 24 15:21:55 UTC 2006
This is a really strange problem .. seems like I have a knack to finding those.
I am running lspp.18 kernel (SELinux in permissive mode), audit-1.2.1 on an
x86_64 system.
Here is what is happening .. someone else please try this and let me know if you
see the same problem...
# auditctl -w /tmp/file1 >> works fine
# auditctl -w /tmp/file6
Error sending add rule request (File exists)
# auditctl -w /tmp/afile
Error sending add rule request (File exists)
# auditctl -w /tmp/newfile >> works fine
# auditctl -w /tmp/thefile
Error sending add rule request (File exists)
Here is what I noticed from this pattern ... as long as the length of the file
name I am adding watch on is the same, it says the watch already exists... So I
tried something else to see if only the file name matters or the whole path
length ...
# mkdir /foo
# auditctl -w /foo/file3 >> notice .. same length as /tmp/file1
Error sending add rule request (File exists)
# auditctl -w /foo/foofile >> notice .. same length as /tmp/newfile
Error sending add rule request (File exists)
# auditctl -w /foo/anotherfile >> works fine
So you see ... even using a different directory still says the watch exists.
If this is happening with others .. this definitely seems like a bug to me.
Thanks,
-Loulwa
More information about the Linux-audit
mailing list