Hello, The audit_rule_syscallbyname() function in libaudit currently doesn't work for any system calls other than "all". This is because it depends on a previous setting of the audit_elf global variable. This has been unnoticed so far because auditctl defines an audit_elf global and sets it before calling this routine. Arguably, libaudit shouldn't be using a global this way, but this patch fixes the immediate problem. Thanks, Amy diff -Nrup audit-1.0.8/lib/libaudit.c audit-1.0.8-new/lib/libaudit.c --- audit-1.0.8/lib/libaudit.c 2005-10-17 13:40:22.000000000 -0400 +++ audit-1.0.8-new/lib/libaudit.c 2005-11-01 13:43:13.013425856 -0500 @@ -588,7 +588,10 @@ int audit_rule_syscallbyname(struct audi rule->mask[i] = ~0; return 0; } - machine = audit_elf_to_machine(audit_elf); + if (!audit_elf) + machine = audit_detect_machine(); + else + machine = audit_elf_to_machine(audit_elf); if (machine < 0) return -2; nr = audit_name_to_syscall(scall, machine);