On Monday, August 04, 2014 08:58:30 PM Tetsuo Handa wrote: The rule matcher only uses the information readily at hand during a syscall. The write syscall is ssize_t write(int fd, const void *buf, size_t count); You can match on anything being passed, like a0=4 or any property of the caller. But it will not know that in this case a0 is an FD and it was opened in another syscall and it goes to /dev/watchdog. What is more likely to work is simply: -a exit,always -w /dev/watchdog -p wa -k watchdog It will detect the opening with write permissions, but not the individual writes. Its too much indirection for the current system. I also don't expect that to change. If you have to watch writes and you know with some certainty which descriptor the program always uses and which selinux type it uses (assuming hpwdt_t below), you might be able to do something like: -a exit,always -F arch=b64 -S write -F a0=4 -F subj_type=hpwdt_t If you know the buffer size used in the program, you might add -F a2=X where X is the buffer size to help identify writes to the correct descriptor if the descriptor gets reused. -Steve