Timothy R. Chavez wrote: [Tue Jun 27 2006, 05:32:46PM EDT] > Maybe because you're executing in the system-call attempting the access > of audit.log and it's in this context the permissions to do so are > checked. Been awhile, but looking at fs/open.c:do_sys_open, should > there be an fsnotify_open() hook in the error path as well?
That wouldn't help. If do_filp_open() returns an error, we don't have an inode for the filename the user wanted to open. So we don't have any additional information to give the hook other than what audit has already collected. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
