From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael C Thompson <thompsmc@us.ibm.com>
Subject: Re: auditctl filter keyword: "path"
Date: Thu, 25 May 2006 10:56:03 -0500
Message-ID: <4475D393.6060305@us.ibm.com>
References: <4475CD7B.1090602@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4475CD7B.1090602@us.ibm.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Michael C Thompson <thompsmc@us.ibm.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Michael C Thompson wrote:
> Hey Steve,
> 
> audit-1.2.2-2 seems to be having problems with the path filter word.
> 
> # auditctl -a exit,always -S open -F path=bfile
> Error sending add rule request (Invalid argument)
> # auditctl -a entry,always -S open -F path=bfile
> Error sending add rule request (Invalid argument)

Apparently path will not take relative path names... Would it be 
desirable to augment the logic of auditctl to resolve the relative path 
and convert it to an absolute path for rule inclusion? This is a 
nice-to-have that admins will expect.

Thanks,
Mike