From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH] filterexcl: allow filterkey Date: Tue, 13 Jun 2017 15:39:59 -0400 Message-ID: <2910781.g0dc8Opiyj@x2> References: <1491302362-1302-1-git-send-email-rgb@redhat.com> <20170613024758.GG6203@madcap2.tricolour.ca> <20170613184619.GH6203@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20170613184619.GH6203@madcap2.tricolour.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, June 13, 2017 2:46:19 PM EDT Richard Guy Briggs wrote: > > On 2017-06-12 20:05, Steve Grubb wrote: > > > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote: > > > > The exclude rules did not permit a filterkey to be added. This isn't > > > > as > > > > important for the exclude filter compared to the others since no > > > > records are generated with that key, but still helps identify rules > > > > in the rules list configuration. > > > > > > How long ago did thkernel start allowing this? I'm trying to decide if > > > this is generally applicable or needs some kind of versioning. > > > > I wasn't aware it was disallowed previously. I'll try to dig out if > > that was previously refused. > > I see nothing obvious going back to its introduction: > 5adc8a6adc91 2006-06-14 ("add rule filterkey") I think I remember that it was never supported because it didn't make sense to have a key that would never be used for anything. Exclude supresses records just like a 'never' action. The key is rejected to catch someone's attention that they might have made a copy and paste to the wrong filter. -Steve