From mboxrd@z Thu Jan  1 00:00:00 1970
From: Loulwa Salem <loulwas@us.ibm.com>
Subject: another issue with Audit
Date: Mon, 24 Apr 2006 10:21:55 -0500
Message-ID: <444CED13.1070900@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.11.6) with ESMTP id
	k3OFMCQo022155
	for <linux-audit@redhat.com>; Mon, 24 Apr 2006 11:22:12 -0400
Received: from e32.co.us.ibm.com (e32.co.us.ibm.com [32.97.110.150])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k3OFM66G009232
	for <linux-audit@redhat.com>; Mon, 24 Apr 2006 11:22:06 -0400
Received: from d03relay04.boulder.ibm.com (d03relay04.boulder.ibm.com
	[9.17.195.106])
	by e32.co.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	k3OFLvFm014824
	for <linux-audit@redhat.com>; Mon, 24 Apr 2006 11:21:57 -0400
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167])
	by d03relay04.boulder.ibm.com (8.12.10/NCO/VER6.8) with ESMTP id
	k3OFPPqa191094
	for <linux-audit@redhat.com>; Mon, 24 Apr 2006 09:25:25 -0600
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1])
	by d03av01.boulder.ibm.com (8.12.11/8.13.3) with ESMTP id
	k3OFLvJU024211
	for <linux-audit@redhat.com>; Mon, 24 Apr 2006 09:21:57 -0600
Received: from [127.0.0.1] (IBM-AFD65BEC738.austin.ibm.com [9.41.46.61])
	by d03av01.boulder.ibm.com (8.12.11/8.12.11) with ESMTP id
	k3OFLsdU024036
	for <linux-audit@redhat.com>; Mon, 24 Apr 2006 09:21:56 -0600
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a really strange problem .. seems like I have a knack to finding those.

I am running lspp.18 kernel (SELinux in permissive mode), audit-1.2.1 on an 
x86_64 system.

Here is what is happening .. someone else please try this and let me know if you 
see the same problem...

# auditctl -w /tmp/file1	>> works fine
# auditctl -w /tmp/file6
Error sending add rule request (File exists)
# auditctl -w /tmp/afile
Error sending add rule request (File exists)
# auditctl -w /tmp/newfile	>> works fine
# auditctl -w /tmp/thefile
Error sending add rule request (File exists)

Here is what I noticed from this pattern ... as long as the length of the file 
name I am adding watch on is the same, it says the watch already exists... So I 
tried something else to see if only the file name matters or the whole path 
length ...

# mkdir /foo
# auditctl -w /foo/file3	>> notice .. same length as /tmp/file1
Error sending add rule request (File exists)
# auditctl -w /foo/foofile >> notice .. same length as /tmp/newfile
Error sending add rule request (File exists)
# auditctl -w /foo/anotherfile	>> works fine

So you see ... even using a different directory still says the watch exists.

If this is happening with others .. this definitely seems like a bug to me.

Thanks,
-Loulwa