audit rule problem

System: Linux audit 2.6.32-696.3.2.el6.x86_64 #1 SMP Wed Jun 7 11:51:39 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux userspace audit-2.4.5-3 Red Hat Enterprise Linux Client release 6.9 (Santiago) I changed this line in /etc/audit/audit.rules from: -a exit,always -F arch=b64 -S mount -S umount2 -k mount to this: -a exit,always -F arch=b64 -S mount -S umount2 -F subj_type!=nothing_t -k mount Reloaded my rules, and now doing (as root): # umount /boot; mount /boot no longer produces audit events. I did this because on another system (mls policy, with lots of custom types) I lost the events once I included some custom types installed and operational on the system, so I was just trying to reduce this to a reproducible case. I can almost see that a non-existent type might fail, but it maybe should fail to load.?. However, the bigger problem is that trying to add my other valid custom types into the exclusion on the mls policy machine is causing me to lose events. Any ideas? Thx, LCB -- LC (Lenny) Bruzenak lenny(a)magitekltd.com