From mboxrd@z Thu Jan 1 00:00:00 1970 From: Linda Knippers Subject: Re: Watch problems Date: Mon, 10 Apr 2006 10:56:54 -0400 Message-ID: <443A7236.6090200@hp.com> References: <200604081232.31138.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.11.6) with ESMTP id k3AEwBXt020656 for ; Mon, 10 Apr 2006 10:58:11 -0400 Received: from ccerelbas02.cce.hp.com (ccerelbas02.cce.hp.com [161.114.21.105]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k3AEw5f4022382 for ; Mon, 10 Apr 2006 10:58:05 -0400 Received: from mailrelay01.cce.cpqcorp.net (mailrelay01.cce.cpqcorp.net [16.47.68.171]) by ccerelbas02.cce.hp.com (Postfix) with ESMTP id EE8C734289 for ; Mon, 10 Apr 2006 09:57:59 -0500 (CDT) In-Reply-To: <200604081232.31138.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This reminds me of the "4500 watches" bug. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172574 For me, everything worked fine when I had about 40 watches. Then I loaded about 150 more and I can't list them (I get the same error you do) but the watches do seem to be working. I can continue to add them and it doesn't seem to matter where the files are. -- ljk Steve Grubb wrote: > Hi, > > I was testing the new watch system and ran across some problems. When I loaded > 85 watches + 10 syscall rules, I got this when trying to list them back out: > > [root@localhost watch-perf]# auditctl -l > Error receiving audit netlink packet (No buffer space available) > Error sending rule list request (No buffer space available) > > And when I try to add a watch against a file in my home directory, I get this: > > [root@localhost watch-perf]# auditctl -w /root/test/watch-perf/error.txt > Error sending add rule request (Permission denied) > > If I move the same file to /etc, it works fine. I ran strace to see where this > is coming from: > > sendto(3, "@\4\0\0\363\3\5\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\1\0\0"..., 1088, > 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 1088 > poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 100) = 1 > recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\261\10\0\0\363\377\377\377@\4\0"..., > 8476, > MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = > 36 > recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\261\10\0\0\363\377\377\377@\4\0"..., > 8476, > MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 > write(2, "Error sending add rule request ("..., 50Error sending add rule > request (Permission denied)) = 50 > > Looks like the kernel to me. This is using the lspp.16 kernel. > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit >