Basic audit test fails

I'm having trouble getting started with audit on FC4. First, it appears I don't have file watch enabled in my kernel. Is file watch enabled in the FC5 kernel, or still only in RHEL? Second, I tried a basic test to audit files opened by a specific user (per the auditctl man page) but it doesn't seem to work: ------------>8------------ [root@localhost ~]# auditctl -a exit,always -S open -F loginuid=600 audit.log: type=CONFIG_CHANGE msg=audit(1142975396.109:6629): auid=4294967295 added an audit rule [develop@localhost ~]$ id uid=600(develop) gid=600(develop) groups=600(develop) context=user_u:system_r:unconfined_t [develop@localhost ~]$ echo foo >> temp audit.log: <NO OUTPUT TO AUDIT LOG> [root@localhost ~]# auditctl -s AUDIT_STATUS: enabled=1 flag=1 pid=26244 rate_limit=0 backlog_limit=256 lost=0 backlog=0 [root@localhost ~]# auditctl -l AUDIT_LIST: exit,always auid=600 (0x258) syscall=open File system watches not supported audit.log: type=SELINUX_ERR msg=audit(1142975791.439:6635): SELinux: unrecognized netlink message type=1009 for sclass=49 type=SYSCALL msg=audit(1142975791.439:6635): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bfb89970 a2=805a5dc a3=10 items=0 pid=27498 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" type=SOCKADDR msg=audit(1142975791.439:6635): saddr=100000000000000000000000 type=SOCKETCALL msg=audit(1142975791.439:6635): nargs=6 a0=3 a1=bfb8dbec a2=10 a3=0 a4=bfb8fd08 a5=c [root@localhost ~]# uname -a Linux localhost.localdomain 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 i686 i386 GNU/Linux [root@localhost ~]# getenforce Enforcing ------------8<------------ Should this experiment have produced any output to audit.log when the user wrote to a file? If not, why not? If so, could the stuff being logged during the rules listing indicate a problem, or are those "unrecognized netlink messages" normal? Thanks for any help, Steve Brueckner, ATC-NY