From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <pmoore@redhat.com>
Subject: Re: [RFC PATCH] audit: correctly record file names with different
	path name types
Date: Tue, 02 Dec 2014 11:02:10 -0500
Message-ID: <7974163.PYVG5D7BPp@sifl>
References: <20141201212747.19982.27425.stgit@localhost>
	<547D6659.6090603@huawei.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <547D6659.6090603@huawei.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: hujianyang <hujianyang@huawei.com>
Cc: rgb@redhat.com, linux-audit@redhat.com, jlayton@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, December 02, 2014 03:12:25 PM hujianyang wrote:
> Hi Paul,
> 
> Thanks for your work~! But I'm sorry to say I've tested this patch with
> a kernel 3.10.53 and met a panic while booting. I think it's caused by
> this patch.
> 
> Could you please take some time to look at this? Did I do something
> wrong?

...

On Tuesday, December 02, 2014 03:31:17 PM hujianyang wrote:
> This is configure options in my environment. I hope it would
> help you~!
> 
> 
> # 5.2 audit configuration
> # 5.2.1
> 
> # 5.2.2 Stop system when log is full
> configuration modify "/etc/audit/auditd.conf@space_left_action =
> SYSLOG@space_left_action = SYSLOG" #configuration modify
> "/etc/audit/auditd.conf@admin_space_left_action =
> SUSPEND@admin_space_left_action = HALT" configuration modify
> "/etc/audit/auditd.conf@space_left = 75@space_left = 2" configuration
> modify "/etc/audit/auditd.conf@admin_space_left = 50@admin_space_left = 1"

Thanks for taking the time to test, however, a few things ...

First, could you provide the /etc/audit/auditd.conf and /etc/audit/audit.rules 
files you used for your testing?  I don't understand configuration 
script/language you used above.

Second, I tested the patch against the audit tree's stable-3.18 branch, could 
you (re)test against 3.18-rcX instead of 3.10.X?  There have been a number of 
changes to the audit subsystem since 3.10 was released and it would surprise 
me if the patch I posted has problems on 3.10.X.

 * git://git.infradead.org/users/pcmoore/audit stable-3.18

Thanks,
-Paul

-- 
paul moore
security and virtualization @ redhat