[ .... ] > What's the kernel in question?
Ubuntu 12.04's 3.2 and SteamOS 3.10. > audit hasn't used "inotify" in a long time. We now use > "fsnotify". Out of laziness I used 'inotify' to mean both; also at one point I was looking at some 2.6.x sources as there seemed to be relevant changes in some mailing list. > but in either case, the inodes aren't supposed to be able to > be kicked out of core... But on 3 different system I have they really seem to be evicted, and with regularity, and this does not happen if the inodes are kept open. >From the source I have looked at, the *notify code seems to attempt to hold on to the inodes that are watched, but perhaps it has some hidden assumptions that the 'audit' module does not satisfy. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
