Bug 166161 - multiple fs_watch, fs_inode records
multiple fs_watch, fs_inode records
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Woodhouse
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-17 13:50 EDT by Linda Knippers
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-21 12:20:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Linda Knippers 2005-08-17 13:50:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Description of problem:
I'm running the sample CAPP rules with the .87 audit kernel and 1.0.1
audit tools.  I'm seeing duplicate watch/inode messages sometimes.

The sample CAPP rules set a watch on all access to /etc/sysconfig
(-w /etc/sysconfig/).  I created a file (ljk) in /etc/sysconfig and
when I update it (echo "1" > /etc/sysconfig/ljk) I get audit
records like below.  Notice that the FS_WATCH and FS_INODE
lines show up twice.  That doesn't seem right.  I have also
found scenarios (create a file in a watched directory) where
I get 3 sets of FS_WATCH and FS_INODE records.

type=SYSCALL msg=audit(1123701552.619:2552): arch=c0000032 syscall=1028 success=yes exit=3 a0=600000000003bdf0 a1=241 a2=1b6 a3=2 items=1 pid=3711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash"
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=CWD msg=audit(1123701552.619:2552):  cwd="/home/ljk"
type=PATH msg=audit(1123701552.619:2552): name="/etc/sysconfig/ljk" flags=310  inode=554882 dev=08:13 mode=040755 ouid=0 ogid=0 rdev=00:00


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.set a watch on a directory (-w /etc/sysconfig/)
2.create a file in that directory (touch /etc/sysconfig/ljk)
3.update the file (echo "1" > /etc/sysconfig/ljk)

Actual Results:  type=SYSCALL msg=audit(1123701552.619:2552): arch=c0000032 syscall=1028 success=yes exit=3 a0=600000000003bdf0 a1=241 a2=1b6 a3=2 items=1 pid=3711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash"
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=CWD msg=audit(1123701552.619:2552):  cwd="/home/ljk"
type=PATH msg=audit(1123701552.619:2552): name="/etc/sysconfig/ljk" flags=310  inode=554882 dev=08:13 mode=040755 ouid=0 ogid=0 rdev=00:00


Expected Results:  Just one set of FS_WATCH/FS_INODE records.

Additional info:
Comment 4 Daniel Riek 2006-11-21 12:12:17 EST
This request is not planned for inclusion in the next update. The decision is
based on weighting the priority and number of requests for a component as well
as the impact on the Red Hat Enterprise Linux user-base: other requests are
considered having higher priority and the number of changes we intend to include
in update cycles is limited.
Comment 5 RHEL Product and Program Management 2006-11-21 12:20:44 EST
Product Management has reviewed and declined this request.  You may appeal this
decision by reopening this request. 

Note You need to log in before you can comment on or make changes to this bug.