From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH 4/5] Fix the bug of AUDIT_PERM field added without a
	watch
Date: Wed, 6 Aug 2008 15:13:18 -0400
Message-ID: <200808061513.18567.sgrubb@redhat.com>
References: <48995D8D.5030202@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <48995D8D.5030202@cn.fujitsu.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Zhang Xiliang <zhangxiliang@cn.fujitsu.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Wednesday 06 August 2008 04:15:09 Zhang Xiliang wrote:
> AUDIT_PERM field should used after a watch given.
>
> For example,
> auditctl -a exit,always -F perm=r
>
> No error message is outputed.
> I think we should add checking for it.

This is a legal rule. The kernel will pick the syscalls that satisfy the read 
permission. Typically, you would have other fields in addition. So...I'm not 
applying this patch.

Thanks,
-Steve