two sets of fs_watch/fs_inode messages?

I'm running the sample CAPP rules with the .87 kernel and 1.0.1 audit tools. I'm seeing duplicate watch/inode messages sometimes. The sample CAPP rules set a watch on all access to /etc/sysconfig (-w /etc/sysconfig/). I created a file (ljk) in /etc/sysconfig and when I update it (echo "1" > /etc/sysconfig/ljk) I get audit records like below. Notice that the FS_WATCH and FS_INODE lines show up twice. That doesn't seem right. Any ideas? -- ljk type=SYSCALL msg=audit(1123701552.619:2552): arch=c0000032 syscall=1028 success=yes exit=3 a0=600000000003bdf0 a1=241 a2=1b6 a3=2 items=1 pid=3711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash" type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1 type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00 type=FS_WATCH msg=audit(1123701552.619:2552): watch_inode=554882 watch="sysconfig" filterkey= perm=0 perm_mask=1 type=FS_INODE msg=audit(1123701552.619:2552): inode=554882 inode_uid=0 inode_gid=0 inode_dev=08:13 inode_rdev=00:00 type=CWD msg=audit(1123701552.619:2552): cwd="/home/ljk" type=PATH msg=audit(1123701552.619:2552): name="/etc/sysconfig/ljk" flags=310 inode=554882 dev=08:13 mode=040755 ouid=0 ogid=0 rdev=00:00