audit in /selinux directory

Hi All, Some files in /selinux have a weird behavior on audit records... When I try read (or write) some files with no read (or write) permission, I can't get the audit record even when I watch the file. Look at this example: [root@alex tmp]# auditctl -w /selinux/disable [root@alex tmp]# cat /selinux/disable cat: /selinux/disable: Invalid argument [root@alex tmp]# ausearch -i -f /selinux/disable ---- type=PATH msg=audit(03/09/2007 16:23:01.340:29662) : item=0 name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:security_t:s0 type=CWD msg=audit(03/09/2007 16:23:01.340:29662) : cwd=/tmp type=SYSCALL msg=audit(03/09/2007 16:23:01.340:29662) : arch=x86_64 syscall=open success=yes exit=3 a0=7fff74a4a990 a1=0 a2=7fff74a49160 a3=15d93010 items=1 ppid=16073 pid=29020 auid=abat uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=cat exe=/bin/cat subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023 key=(null) The cat command failed and audit is saying "success". A bit strange for me. Could anybody clarify this point for me, please? Best Regards -- Camilo Yamauchi Campo Linux Technology Center Software Engineer camilo(a)br.ibm.com