peculiar disappearance of most audit rules

[Peter Grandi]

[ .... ]

> What's the kernel in question?

Ubuntu 12.04's 3.2 and SteamOS 3.10.

> audit hasn't used "inotify" in a long time.  We now use
> "fsnotify".

Out of laziness I used 'inotify' to mean both; also at one point
I was looking at some 2.6.x sources as there seemed to be
relevant changes in some mailing list.

> but in either case, the inodes aren't supposed to be able to
> be kicked out of core...

But on 3 different system I have they really seem to be evicted,
and with regularity, and this does not happen if the inodes are
kept open.

>From the source I have looked at, the *notify code seems to
attempt to hold on to the inodes that are watched, but perhaps
it has some hidden assumptions that the 'audit' module does not
satisfy.