From mboxrd@z Thu Jan 1 00:00:00 1970 From: Amy Griffis Subject: Re: Logging failed open() calls on /var/log/audit/audit.log Date: Tue, 27 Jun 2006 19:10:32 -0400 Message-ID: <20060627231032.GA12632@zk3.dec.com> References: <20060627211553.GA11601@zk3.dec.com> <200606271721.05626.sgrubb@redhat.com> <1151443966.6863.18.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k5RNAhNp027966 for ; Tue, 27 Jun 2006 19:10:43 -0400 Received: from tayrelbas04.tay.hp.com (tayrelbas04.tay.hp.com [161.114.80.247]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k5RNAbJg022841 for ; Tue, 27 Jun 2006 19:10:37 -0400 Content-Disposition: inline In-Reply-To: <1151443966.6863.18.camel@localhost.localdomain> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Timothy R. Chavez" Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Timothy R. Chavez wrote: [Tue Jun 27 2006, 05:32:46PM EDT] > Maybe because you're executing in the system-call attempting the access > of audit.log and it's in this context the permissions to do so are > checked. Been awhile, but looking at fs/open.c:do_sys_open, should > there be an fsnotify_open() hook in the error path as well? That wouldn't help. If do_filp_open() returns an error, we don't have an inode for the filename the user wanted to open. So we don't have any additional information to give the hook other than what audit has already collected.