From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <pmoore@redhat.com>
Subject: Re: [RFC PATCH] audit: correctly record file names with different
	path name types
Date: Wed, 03 Dec 2014 16:27:34 -0500
Message-ID: <3214700.P9gl05RaQR@sifl>
References: <20141201212747.19982.27425.stgit@localhost>
	<7974163.PYVG5D7BPp@sifl> <547E6D42.1000503@huawei.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <547E6D42.1000503@huawei.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, hujianyang <hujianyang@huawei.com>
Cc: rgb@redhat.com, jlayton@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, December 03, 2014 09:54:10 AM hujianyang wrote:
> On 2014/12/3 0:02, Paul Moore wrote:
> > First, could you provide the /etc/audit/auditd.conf and
> > /etc/audit/audit.rules files you used for your testing?  I don't
> > understand configuration script/language you used above.
> 
> /etc/audit/audit.conf
> 
> #
> # This file controls the configuration of the audit daemon
> #

... {snip} ...

> /etc/audit/audit.rules:
> 
> # This file contains the auditctl rules that are loaded
> # whenever the audit daemon is started via the initscripts.
> # The rules are simply the parameters that would be passed
> # to auditctl.

... {snip} ...

I setup my system using your configuration and the system booted and ran the 
regression test described in the patch description without problem.  I know of 
at least one other person that has tested this patch without problem as well.

> > Second, I tested the patch against the audit tree's stable-3.18 branch,
> > could you (re)test against 3.18-rcX instead of 3.10.X?  There have been a
> > number of changes to the audit subsystem since 3.10 was released and it
> > would surprise me if the patch I posted has problems on 3.10.X.
> > 
> >  * git://git.infradead.org/users/pcmoore/audit stable-3.18
> 
> Sorry, my testing environment is built on a embedded arm device. Changing
> kernel version need lots of changes for device driver which is beyond my
> ability.

I know that many embedded systems include several kernel patches that deviate 
from the upstream sources (device drivers, etc.), is that the case with your 
system?

> I wish you could implement my configuration on your environment and test
> if it's OK. After that, we can list the changes from 3.10 stable to 3.18
> stable.

I did test your configuration, without problem.  I suspect there is some sort 
of conflict between the patch and one of the kernel patches in your system.  
Is there any chance you can debug the problem you saw?

I'm going to remove the CC:stable from the patch description to be safe, but 
as of right now I think it is reasonable to include the patch in the audit 
next branch.

-- 
paul moore
security and virtualization @ redhat