From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audit 1.2.2 released
Date: Wed, 17 May 2006 17:23:25 -0400
Message-ID: <200605171723.25311.sgrubb@redhat.com>
References: <200605121726.32952.sgrubb@redhat.com>
	<446B91CF.5010604@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <446B91CF.5010604@us.ibm.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Michael C Thompson <thompsmc@us.ibm.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Wednesday 17 May 2006 17:12, Michael C Thompson wrote:
> > Please let me know if there are any problems with this release.
>
> auditctl -a entry,always -S chmod -F "watch=/root/file"
>
> This fails... how is one supposed to use the new 'watch' field filter?

This was already reported on SE Linux mail list last week. The short answer is 
that policy needs to be adjusted to make this work. I don't know if the 
changes have been rolled out yet. Just as a test, try "setenforce 0" and then 
load the audit rule.

-Steve