The existing check would never trigger since add and del are defaulted to AUDIT_FILTER_UNSET which is not zero. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; --- src/auditctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/auditctl.c b/src/auditctl.c index ca6905b2884e..06bb747c5fd2 100644 --- a/src/auditctl.c +++ b/src/auditctl.c @@ -1020,7 +1020,7 @@ process_keys: } break; case 'p': - if (!add && !del) { + if (add == AUDIT_FILTER_UNSET && del == AUDIT_FILTER_UNSET) { audit_msg(LOG_ERR, "permission option needs a watch given prior to it"); retval = -1; -- 2.27.0