On Wednesday 06 August 2008 04:15:09 Zhang Xiliang wrote: > AUDIT_PERM field should used after a watch given. > > For example, > auditctl -a exit,always -F perm=r > > No error message is outputed. > I think we should add checking for it.
This is a legal rule. The kernel will pick the syscalls that satisfy the read permission. Typically, you would have other fields in addition. So...I'm not applying this patch. Thanks, -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
