From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: peculiar disappearance of most audit rules Date: Wed, 5 Nov 2014 11:55:48 -0500 Message-ID: <20141105165548.GQ26201@madcap2.tricolour.ca> References: <1806426.QoIu6KxFX5@x2> <21333.33865.378826.157120@tree.ty.sabi.co.uk> <21334.54971.174073.755376@tree.ty.sabi.co.uk> <21335.29725.410585.629604@tree.ty.sabi.co.uk> <1398263642.2596.23.camel@flatline.rdu.redhat.com> <21341.27038.918993.838943@tree.ty.sabi.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <21341.27038.918993.838943@tree.ty.sabi.co.uk> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Peter Grandi Cc: Linux audit List-Id: linux-audit@redhat.com On 14/04/27, Peter Grandi wrote: > > but in either case, the inodes aren't supposed to be able to > > be kicked out of core... > > But on 3 different system I have they really seem to be evicted, > and with regularity, and this does not happen if the inodes are > kept open. > > From the source I have looked at, the *notify code seems to > attempt to hold on to the inodes that are watched, but perhaps > it has some hidden assumptions that the 'audit' module does not > satisfy. Do you have a reproducer to detect this quickly? Miklos Szeredi appears to have found the likely cause: https://lkml.org/lkml/2014/11/4/246 - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545