From mboxrd@z Thu Jan  1 00:00:00 1970
From: Linda Knippers <linda.knippers@hp.com>
Subject: Re: [PATCH] Disable from user-space the addition of an exclude,
 never rule
Date: Fri, 02 Jun 2006 11:37:35 -0400
Message-ID: <44805B3F.2000201@hp.com>
References: <44805735.8090608@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <44805735.8090608@us.ibm.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Michael C Thompson <thompsmc@us.ibm.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Michael C Thompson wrote:
> Below is a patch which will cause auditctl to report that exclude,never
> is a meaningless rule construct. This patch was written as it was deemed
> that exclude,never does not make sense based on the man-pages, and that
> exclude,always and exclude,never are functionality equivalent.

While the word "always" makes more sense than the word "never", the
description of "always" in the manpage is confusing when applied
to the "exclude" list, since "always" means to always generate
an audit record.  Maybe "exclude" doesn't need an action as sort
of an action itself.  Or maybe the text for "always" should be
updated to describe what it means for different lists.

-- ljk