From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Do we need entry,always rules?
Date: Tue, 8 Nov 2011 17:18:59 -0500
Message-ID: <201111081718.59465.sgrubb@redhat.com>
References: <1320788300.10093.42.camel@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1320788300.10093.42.camel@localhost>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, November 08, 2011 04:38:20 PM Eric Paris wrote:
> The kernel will take them, but I believe we decided to deprecate them.
> I can remove some 'dead' code from the kernel and just return -EINVAL if
> someone tries to set one.  Anyone see a problem with that?

That was the plan. User space migrated to exit filter rules with the audit 2.0 release. 
That release was over 2 years ago. I also think the example rules in the 1.7 series 
was changed to the exit filter so that people don't start off with entry filter rules.

So, you can start the process of deprecating it. I don't know if you want to just pull 
the filter out or warn for a while before pulling it out.

-Steve