Re: What is expected: exclude action on the never list?

[Michael C Thompson <thompsmc@us.ibm.com>]

Linda Knippers wrote:
> Michael C Thompson wrote:
>> Linda Knippers wrote:
>>
>>> Steve Grubb wrote:
>>>
>>>> On Tuesday 30 May 2006 16:45, Michael C Thompson wrote:
>>>>
>>>>> I would read the second rule as saying "do not exclude messages of type
>>>>> SYSCALL". Is this a correct interpretation of the rule?
>>>>
>>>> That sounds reasonable, but I don't think that's what the kernel
>>>> does. Maybe it should be corrected. I think its a 1 or 2 liner.
>>>
>>> According to the manpage, I'd say the kernel is behaving as expected.
>>>
>>> "Never" means never generate an audit record and "exclude" means even if
>>> one was generated, it should be excluded.  The two options together are
>>> somewhat redundant but I don't think "never" was intended to mean "never
>>> do what the previous option just said to do", at least not according to
>>> the manpage.
>>
>> Agreed. The wording is... confusing when compared to the rule. I guess
>> the real question which needs to be answered is "Do we need to be able
>> to force the capture of a rule?"... since audit by default does not
>> audit anything, and you have to explicitly add filters, I would say "no"
>> to this question.
>>
>> That said, I think we should leave "exclude,always" as is, and either
>> change the man page to say something about "exclude,never" being the
>> same as "exclude,always", _or_ change the userspace to indicate that
>> "exclude,never" doesn't make sense.
> 
> I'm not sure "always" makes sense either, at least not as described in
> the manpage since it says to always write out record at syscall exit
> time.

So it sounds like the man page needs to be reworded... if I think of 
anything clear and enlightening, I will pass it on.

I think that the "exclude,always" construct (outside of what the man 
page says) has inherent meaning, so I would leave it as is. Would you 
agree that changing the "exclude,never" to be invalidated in userspace 
makes sense?

Mike