What is expected: exclude action on the never list?

Hey Steve, I'm doing some testing (a rare occurrence I know), and I've noticed that when the active rules are: auditctl -a entry,always -S chmod auditctl -a exclude,always -F msgtype=SYSCALL The chmod actions are not logged. Now this is what I would expect to happen when just reading those lines, not knowing about the internal workings of audit. However, if the rules are auditctl -a entry,always -S chmod auditctl -a exclude,never -F msgtype=SYSCALL the chmod actions are not logged either. I would read the second rule as saying "do not exclude messages of type SYSCALL". Is this a correct interpretation of the rule? Thanks, Mike