From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Question about setting watches in auto-mounted directories in
	RHEL 5.2
Date: Sun, 30 Nov 2008 10:47:07 -0500
Message-ID: <200811301047.07796.sgrubb@redhat.com>
References: <CEF7DE8455A91D42A0435A42956403290BBB17D7@CORPUSMX40B.corp.emc.com>
	<200811300915.52390.sgrubb@redhat.com>
	<20081130151040.GC14693@file.rdu.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20081130151040.GC14693@file.rdu.redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Alexander Viro <aviro@redhat.com>
Cc: Taylor_Tad@emc.com, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Sunday 30 November 2008 10:11:10 Alexander Viro wrote:
> > > Unfortunately, auto-mounts are, well, automatic, so there's no one =
to
> > > issue that command.
>
> You do realize that they are, in the end, done from userland? =A0Which =
is
> the natural place to do that...

The problem is that's a little racy. But more importantly, it would be ni=
ce to=20
load rules once since there is a chance that high security installations =
will=20
have the audit system in immutable mode.

For rules that do not resolve all the way to an inode, they could be put =
on a=20
wait list that gets checked for resolution anytime mount is called.

-Steve