peculiar disappearance of most audit rules
Richard Guy Briggs
rgb at redhat.com
Wed Nov 5 16:55:48 UTC 2014
On 14/04/27, Peter Grandi wrote:
> > but in either case, the inodes aren't supposed to be able to
> > be kicked out of core...
>
> But on 3 different system I have they really seem to be evicted,
> and with regularity, and this does not happen if the inodes are
> kept open.
>
> From the source I have looked at, the *notify code seems to
> attempt to hold on to the inodes that are watched, but perhaps
> it has some hidden assumptions that the 'audit' module does not
> satisfy.
Do you have a reproducer to detect this quickly?
Miklos Szeredi appears to have found the likely cause:
https://lkml.org/lkml/2014/11/4/246
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list