> dontauditx rules don't seem to work, they require an dontaudit rule but then every ioctl will be audited. > auditallowx rules might have the same problem. After a bit more digging, dontauditx and auditallowx rules only take effect if at least 1 allowx rule is defined. And auditallowx rules appear to require an additional auditallow rule. It is more useful if dontauditx and auditallowx follow the behavior of neverallowx, i.e. take effect by themself without requiring any additional rules. A side effect of this is possibly that dontauditx or auditallowx rules will enable extended permission checks even if no allowx rule is present. For example I want to dontaudit the very common TCGETS ioctl when giving a domain read access to a file. At the same time I want to know about every other ioctl issued against the file, they could be very important. Currently I would actually have to add an allowx rule to do that. I might be able to provide kernel patches. -- bauen1 https://dn42.bauen1.xyz/