> I think no, the man page is not so clear IMHO but the error message > is, and i also read the code (sure i could be wrong) . BTW, you can > add on the top of the audit rule that exclude ALL the USER_ACCT That's an overkill and completely unsuitable in what I am trying to do - I need more fine-grained match. I can't just disable *all* auditing on USER_ACCT-type messages - this would open the door to possible intrusions, which I won't be able to see if I disable all USER_ACCT-type messages. Not a chance of that ever happening! > -A exit,never -F arch=b64 -S open -F exit=-EACCES -F subj_type=initrc_t -k open > I don't yet know what type of syscalls (if any) there could be. Besides, there is nowhere I could find a fairly complete list of those. I have email to see if I could get on the audit list and ask somebody there for advice as I am still in denial that I couldn't enable more fine-grained filter on this. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux