From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Watch problems
Date: Sat, 8 Apr 2006 12:32:31 -0400
Message-ID: <200604081232.31138.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from vpn83-150.boston.redhat.com (vpn83-150.boston.redhat.com
	[172.16.83.150])
	by mail.boston.redhat.com (8.12.8/8.12.8) with ESMTP id k38GWCT1010368
	for <linux-audit@redhat.com>; Sat, 8 Apr 2006 12:32:12 -0400
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi,

I was testing the new watch system and ran across some problems. When I loaded 
85 watches + 10 syscall rules, I got this when trying to list them back out:

[root@localhost watch-perf]# auditctl -l
Error receiving audit netlink packet (No buffer space available)
Error sending rule list request (No buffer space available)

And when I try to add a watch against a file in my home directory, I get this:

[root@localhost watch-perf]# auditctl -w /root/test/watch-perf/error.txt
Error sending add rule request (Permission denied)

If I move the same file to /etc, it works fine. I ran strace to see where this 
is coming from:

sendto(3, "@\4\0\0\363\3\5\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\1\0\0"..., 1088,
0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 1088
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 100) = 1
recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\261\10\0\0\363\377\377\377@\4\0"...,
8476,
MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) =
36
recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\261\10\0\0\363\377\377\377@\4\0"...,
8476,
MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36
write(2, "Error sending add rule request ("..., 50Error sending add rule
request (Permission denied)) = 50

Looks like the kernel to me. This is using the lspp.16 kernel.

-Steve