On Friday, June 07, 2013 07:29:56 PM Matthew Garrett wrote: > On Fri, Jun 07, 2013 at 02:02:14PM -0400, Simo Sorce wrote: > > The point is that we are simply throwing ideas off the wall as an aid in > > finding a way to solve the issue for all. > > So why not add a mechanism to permit applications to indicate that > certain accesses they make should be ignored by audit? We've never needed an exception in the past. What I'm reporting is there is now a trend on the rise where apps are trying to open files that do not belong to them or open them not wanting the access time updated which attempts to bypass forensic time stamps. So far, the discussion has focused on pulseaudio. But what about the O_NOATIME issue? I wrote an article [1] for the hack in the box magazine a while back about using the audit system to look for application problems across the whole distribution at once. Its good at doing that. And like SE Linux, sometimes the fix is not to avoid auditing bad behaving apps, but to fix them. As for the O_NOATIME...cinnamon is the prime offender and neither it nor muffin have O_NOATIME anywhere in the code. So, its coming from a library. Anyone have any ideas? If we can fix that one at least we can make some progress. Thanks, -Steve [1] - http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf; -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
