From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Neuberger Subject: Error deleting rule during shutdown with -e 2 Date: Wed, 12 Oct 2011 11:12:55 -0400 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p9CFF87u007330 for ; Wed, 12 Oct 2011 11:15:08 -0400 Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p9CFF7HZ007402 for ; Wed, 12 Oct 2011 11:15:07 -0400 Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1RE0WP-0007is-M4 for linux-audit@redhat.com; Wed, 12 Oct 2011 17:15:05 +0200 Received: from 65.196.64.170 ([65.196.64.170]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 12 Oct 2011 17:15:05 +0200 Received: from daniel.neuberger by 65.196.64.170 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 12 Oct 2011 17:15:05 +0200 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com All, When stopping auditd during a system shutdown, I see the following error: Error deleting rule (Operation not permitted) My audit.rules file looks like: ------------------------ -D [trimmed] -a always,exit -F arch=b32 -S open -S openat -F exit=-EPERM -k access4 -w /etc/sudoers -p wa -k actions -p wax [trimmed] -e 2 ------------------------ The only ways I've found to fix this is to remove the -e 2 option, but we need our rules to be immutable? Also based on looking at the auditd init script, setting AUDITD_CLEAN_STOP=no during shutdown would work, but I don't want to modify the script. Any other ideas? Thanks. - Daniel