From mboxrd@z Thu Jan  1 00:00:00 1970
From: Linda Knippers <linda.knippers@hp.com>
Subject: Re: another issue with Audit
Date: Mon, 24 Apr 2006 11:51:45 -0400
Message-ID: <444CF411.6060703@hp.com>
References: <444CED13.1070900@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.11.6) with ESMTP id
	k3OFraJ0031530
	for <linux-audit@redhat.com>; Mon, 24 Apr 2006 11:53:36 -0400
Received: from atlrel9.hp.com (atlrel9.hp.com [156.153.255.214])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k3OFrTUd017855
	for <linux-audit@redhat.com>; Mon, 24 Apr 2006 11:53:30 -0400
In-Reply-To: <444CED13.1070900@us.ibm.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Loulwa Salem <loulwas@us.ibm.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

That's really strange.  I'm running the .16 kernel and the audit-1.2
audit tools on an x86 and I'm not seeing the problem.  I'll upgrade and
see what happens.

-- ljk

Loulwa Salem wrote:
> This is a really strange problem .. seems like I have a knack to finding 
> those.
> 
> I am running lspp.18 kernel (SELinux in permissive mode), audit-1.2.1 on 
> an x86_64 system.
> 
> Here is what is happening .. someone else please try this and let me 
> know if you see the same problem...
> 
> # auditctl -w /tmp/file1    >> works fine
> # auditctl -w /tmp/file6
> Error sending add rule request (File exists)
> # auditctl -w /tmp/afile
> Error sending add rule request (File exists)
> # auditctl -w /tmp/newfile    >> works fine
> # auditctl -w /tmp/thefile
> Error sending add rule request (File exists)
> 
> Here is what I noticed from this pattern ... as long as the length of 
> the file name I am adding watch on is the same, it says the watch 
> already exists... So I tried something else to see if only the file name 
> matters or the whole path length ...
> 
> # mkdir /foo
> # auditctl -w /foo/file3    >> notice .. same length as /tmp/file1
> Error sending add rule request (File exists)
> # auditctl -w /foo/foofile >> notice .. same length as /tmp/newfile
> Error sending add rule request (File exists)
> # auditctl -w /foo/anotherfile    >> works fine
> 
> So you see ... even using a different directory still says the watch 
> exists.
> 
> If this is happening with others .. this definitely seems like a bug to me.
> 
> Thanks,
> -Loulwa
> 
> -- 
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit