Or if selinux is in force, create policy for the events you definitely want, then look for those types (either subject or object) in your rule. This is something I've seen before, where renames that are desired to be audited use the provided system tools, but for locally developed application code, they are made to run inside a certain type of a custom executable and then that type is excluded from the rename syscall rule. Ideally, the code which is written would self-audit a 1-liner like "I am going to rename every file under dir /opt/special/stuff/" using audit_log_user_message so you still have some idea what is happening (if you care).

Then your "my-rename" program subject type of my_rename_t can be used as an exclude on the rule. Of course, the caller must then know to use this rather than the standard utilities.


This sounds useful and might solve our problem, will it be possible to share some examples on how this can be achieved?  

--
Anurag Aggarwal