Bug 166161

Summary: multiple fs_watch, fs_inode records
Product: Red Hat Enterprise Linux 4 Reporter: Linda Knippers <linda.knippers>
Component: kernelAssignee: David Woodhouse <dwmw2>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: jbaron
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-21 17:20:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Linda Knippers 2005-08-17 17:50:00 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Description of problem:
I'm running the sample CAPP rules with the .87 audit kernel and 1.0.1
audit tools.  I'm seeing duplicate watch/inode messages sometimes.

The sample CAPP rules set a watch on all access to /etc/sysconfig
(-w /etc/sysconfig/).  I created a file (ljk) in /etc/sysconfig and
when I update it (echo "1" > /etc/sysconfig/ljk) I get audit
records like below.  Notice that the FS_WATCH and FS_INODE
lines show up twice.  That doesn't seem right.  I have also
found scenarios (create a file in a watched directory) where
I get 3 sets of FS_WATCH and FS_INODE records.

type=SYSCALL msg=audit(1123701552.619:2552): arch=c0000032 syscall=1028 success=yes exit=3 a0=600000000003bdf0 a1=241 a2=1b6 a3=2 items=1 pid=3711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash"
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=CWD msg=audit(1123701552.619:2552):  cwd="/home/ljk"
type=PATH msg=audit(1123701552.619:2552): name="/etc/sysconfig/ljk" flags=310  inode=554882 dev=08:13 mode=040755 ouid=0 ogid=0 rdev=00:00


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.set a watch on a directory (-w /etc/sysconfig/)
2.create a file in that directory (touch /etc/sysconfig/ljk)
3.update the file (echo "1" > /etc/sysconfig/ljk)

Actual Results:  type=SYSCALL msg=audit(1123701552.619:2552): arch=c0000032 syscall=1028 success=yes exit=3 a0=600000000003bdf0 a1=241 a2=1b6 a3=2 items=1 pid=3711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash"
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=CWD msg=audit(1123701552.619:2552):  cwd="/home/ljk"
type=PATH msg=audit(1123701552.619:2552): name="/etc/sysconfig/ljk" flags=310  inode=554882 dev=08:13 mode=040755 ouid=0 ogid=0 rdev=00:00


Expected Results:  Just one set of FS_WATCH/FS_INODE records.

Additional info:
Comment 4 Daniel Riek 2006-11-21 17:12:17 UTC 
This request is not planned for inclusion in the next update. The decision is
based on weighting the priority and number of requests for a component as well
as the impact on the Red Hat Enterprise Linux user-base: other requests are
considered having higher priority and the number of changes we intend to include
in update cycles is limited.
Comment 5 RHEL Program Management 2006-11-21 17:20:44 UTC 
Product Management has reviewed and declined this request.  You may appeal this
decision by reopening this request.