From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: exclude filter action ignored?
Date: Mon, 16 May 2016 12:01:42 -0400
Message-ID: <2594649.21IR1e7Q9z@x2>
References: <20160515203827.GB21780@madcap2.tricolour.ca>
	<11175563.uHevLF1eMJ@x2>
	<20160516154426.GD21780@madcap2.tricolour.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20160516154426.GD21780@madcap2.tricolour.ca>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, May 16, 2016 11:44:26 AM Richard Guy Briggs wrote:
> On 16/05/16, Steve Grubb wrote:
> > On Sunday, May 15, 2016 04:38:27 PM Richard Guy Briggs wrote:
> > > Hi Steve,
> > > 
> > > Can you confirm that the exclude filter action parameter is ignored?
> > 
> > The exclude filter was supposed to do only 1 thing, delete events. It was
> > needed to create a pure CAPP system back in the lspp days. There are
> > things
> > like selinux which sends events whether you wanted them or not. For a pure
> > CAPP system you just tell it the msgtype of selinux events and then they
> > are gone. People found other uses later like getting rid of cron job pam
> > messages. But its always been used to remove events rather than trigger
> > them.
>
> Fine.  Can we put something in the manpage to clarify that
> "exclude,never" won't do what people might think, which might be to
> override some other rule on a different list?

Typically where we use never rules is in blocking events on a certain 
directory or application. This would be the entry and user filters. AFAIK, no 
one has reported a problem where exclude,never wasn't working. :-)

> Something like "The exclude list ignores the action, and is treated as
> "always", or block the never option entirely either in userspace or in the
> kernel.  I realize this latter option could be contentious since some might
> interpret that as "breaking userspace".

No one could possibly be counting on that to work (because it doesn't work). 
But we can adjust the man page.

-Steve