On Wednesday 07 May 2008 13:20:42 Stephen Smalley wrote:
> then we'd need to define two new fields, one to correspond
> to the real/raw context string corresponding to the scontext and one to
> correspond to the real/raw context string corresponding to the tcontext.
> And they would only be present
On Wednesday 07 May 2008 12:56:37 LC Bruzenak wrote:
> > I'd say we need to fix the man page.
>
> OK. Should I open a bz?
I put it in the TODO list for 1.7.3. So, it is being tracked. You can open a
bz if you want to.
> I am a little surprised that the "-a always,exit" doesn't cause an
> error.
> I am a little surprised that the "-a always,exit" doesn't cause an
> error. I wonder if it works correctly - maybe auditctl code is smart
> enough to overcome syntactic dyslexia? :)
>
given rules:
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time-change
-a exit,always -F arch=b64 -
On Wed, 2008-05-07 at 12:48 -0400, Steve Grubb wrote:
> On Wednesday 07 May 2008 11:29:36 Eric Paris wrote:
> > On Wed, May 7, 2008 at 11:23 AM, Stephen Smalley <[EMAIL PROTECTED]> wrote:
> > > On Wed, 2008-05-07 at 11:17 -0400, Eric Paris wrote:
> > > > > I assume we do NOT want to use this va
On Wed, 2008-05-07 at 12:44 -0400, Steve Grubb wrote:
> On Wednesday 07 May 2008 12:16:01 LC Bruzenak wrote:
> > Am I misunderstanding this option, or is there a manpage or code error?
> > audit-1.7.2-6.fc9.x86_64
>
> I'd say we need to fix the man page.
OK. Should I open a bz?
And also along th
On Wednesday 07 May 2008 11:29:36 Eric Paris wrote:
> On Wed, May 7, 2008 at 11:23 AM, Stephen Smalley <[EMAIL PROTECTED]> wrote:
> > On Wed, 2008-05-07 at 11:17 -0400, Eric Paris wrote:
> > > > I assume we do NOT want to use this variant interface when getting
> > > > contexts to display in a
On Wednesday 07 May 2008 12:16:01 LC Bruzenak wrote:
> Am I misunderstanding this option, or is there a manpage or code error?
> audit-1.7.2-6.fc9.x86_64
I'd say we need to fix the man page.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-a
Q: Manpage says :
"-S [Syscall name or number|all]"
..."You may also specify multiple syscalls in the same rule as a comma
separated list with no spaces in between. Doing so improves performance
since fewer rules need to be evaluated."...
So I'd have thought that this would work:
-a always,exit
On Wed, May 7, 2008 at 11:23 AM, Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
>
> On Wed, 2008-05-07 at 11:17 -0400, Eric Paris wrote:
> > > I assume we do NOT want to use this variant interface when getting
> > > contexts to display in audit messages, as we want the audit messages to
> > >
