Bug 166161 - multiple fs_watch, fs_inode records
Summary: multiple fs_watch, fs_inode records
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: David Woodhouse
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-17 17:50 UTC by Linda Knippers
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-11-21 17:20:44 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Linda Knippers 2005-08-17 17:50:00 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Description of problem:
I'm running the sample CAPP rules with the .87 audit kernel and 1.0.1
audit tools.  I'm seeing duplicate watch/inode messages sometimes.

The sample CAPP rules set a watch on all access to /etc/sysconfig
(-w /etc/sysconfig/).  I created a file (ljk) in /etc/sysconfig and
when I update it (echo "1" > /etc/sysconfig/ljk) I get audit
records like below.  Notice that the FS_WATCH and FS_INODE
lines show up twice.  That doesn't seem right.  I have also
found scenarios (create a file in a watched directory) where
I get 3 sets of FS_WATCH and FS_INODE records.

type=SYSCALL msg=audit(1123701552.619:2552): arch=c0000032 syscall=1028 success=yes exit=3 a0=600000000003bdf0 a1=241 a2=1b6 a3=2 items=1 pid=3711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash"
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=CWD msg=audit(1123701552.619:2552):  cwd="/home/ljk"
type=PATH msg=audit(1123701552.619:2552): name="/etc/sysconfig/ljk" flags=310  inode=554882 dev=08:13 mode=040755 ouid=0 ogid=0 rdev=00:00


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.set a watch on a directory (-w /etc/sysconfig/)
2.create a file in that directory (touch /etc/sysconfig/ljk)
3.update the file (echo "1" > /etc/sysconfig/ljk)

Actual Results:  type=SYSCALL msg=audit(1123701552.619:2552): arch=c0000032 syscall=1028 success=yes exit=3 a0=600000000003bdf0 a1=241 a2=1b6 a3=2 items=1 pid=3711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash"
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1
type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=CWD msg=audit(1123701552.619:2552):  cwd="/home/ljk"
type=PATH msg=audit(1123701552.619:2552): name="/etc/sysconfig/ljk" flags=310  inode=554882 dev=08:13 mode=040755 ouid=0 ogid=0 rdev=00:00


Expected Results:  Just one set of FS_WATCH/FS_INODE records.

Additional info:

Comment 4 Daniel Riek 2006-11-21 17:12:17 UTC
This request is not planned for inclusion in the next update. The decision is
based on weighting the priority and number of requests for a component as well
as the impact on the Red Hat Enterprise Linux user-base: other requests are
considered having higher priority and the number of changes we intend to include
in update cycles is limited.

Comment 5 RHEL Program Management 2006-11-21 17:20:44 UTC
Product Management has reviewed and declined this request.  You may appeal this
decision by reopening this request. 


Note You need to log in before you can comment on or make changes to this bug.