On Sunday 21 October 2007, Steve G wrote: [...]
# Feel free to add below this line. See auditctl man page
-a exit,always -S chroot #-a exit,always -S chdir -F obj_type=dhclient_t
I don't know the rule syntax, but just looking at the source, it
appears
to me that the rule on line 15 is malformed (at least compared to the others).
All of those rules look fine for audit package > 1.3 and kernel probably > 2.6.21. But those rules are not default and would have taken some research to come up with since I know of no public examples of auditing by selinux context.
So what should line 15 look like today?