I am having difficulty in trying to exclude a certain type of messages
for certain SELinux types being reported to the auditd daemon.
In particular, I would like to exclude the following from being reported
(and thus filling up my audit logs unnecessarily):
msgtype={USER_ACCT|CRED_ACQ|USER_START|CRED_DISP|USER_END}
obj_type=crond_t
success=0
When I try to add this as a rule with "auditctl -A exclude,never -F
msgtype=USER_ACCT -F obj_type=crond_t -F success=0" I get "Only msgtype
field can be used with exclude filter" which is a bit daft as I wish to
exclude USER_ACCT message type from being reported *only* for the
"crond_t" SELinux type. Is there any way I can do this?
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
