From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Description of problem: I'm running the sample CAPP rules with the .87 audit kernel and 1.0.1 audit tools. I'm seeing duplicate watch/inode messages sometimes. The sample CAPP rules set a watch on all access to /etc/sysconfig (-w /etc/sysconfig/). I created a file (ljk) in /etc/sysconfig and when I update it (echo "1" > /etc/sysconfig/ljk) I get audit records like below. Notice that the FS_WATCH and FS_INODE lines show up twice. That doesn't seem right. I have also found scenarios (create a file in a watched directory) where I get 3 sets of FS_WATCH and FS_INODE records. type=SYSCALL msg=audit(1123701552.619:2552): arch=c0000032 syscall=1028 success=yes exit=3 a0=600000000003bdf0 a1=241 a2=1b6 a3=2 items=1 pid=3711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash" type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1 type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00 type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1 type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00 type=CWD msg=audit(1123701552.619:2552): cwd="/home/ljk" type=PATH msg=audit(1123701552.619:2552): name="/etc/sysconfig/ljk" flags=310 inode=554882 dev=08:13 mode=040755 ouid=0 ogid=0 rdev=00:00 Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.set a watch on a directory (-w /etc/sysconfig/) 2.create a file in that directory (touch /etc/sysconfig/ljk) 3.update the file (echo "1" > /etc/sysconfig/ljk) Actual Results: type=SYSCALL msg=audit(1123701552.619:2552): arch=c0000032 syscall=1028 success=yes exit=3 a0=600000000003bdf0 a1=241 a2=1b6 a3=2 items=1 pid=3711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash" type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1 type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00 type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1 type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00 type=CWD msg=audit(1123701552.619:2552): cwd="/home/ljk" type=PATH msg=audit(1123701552.619:2552): name="/etc/sysconfig/ljk" flags=310 inode=554882 dev=08:13 mode=040755 ouid=0 ogid=0 rdev=00:00 Expected Results: Just one set of FS_WATCH/FS_INODE records. Additional info:
This request is not planned for inclusion in the next update. The decision is based on weighting the priority and number of requests for a component as well as the impact on the Red Hat Enterprise Linux user-base: other requests are considered having higher priority and the number of changes we intend to include in update cycles is limited.
Product Management has reviewed and declined this request. You may appeal this decision by reopening this request.