Hello Steve, I found some code is invalid in auditctl. So I suggested to delete it. Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com&gt; --- src/auditctl.c | 10 ++-------- 1 files changed, 2 insertions(+), 8 deletions(-) diff --git a/src/auditctl.c b/src/auditctl.c index b356faa..93e84a0 100644 --- a/src/auditctl.c +++ b/src/auditctl.c @@ -737,12 +737,7 @@ static int setopt(int count, char *vars[]) switch (rc) { case 0: - if (which == OLD && - rule.fields[rule.field_count-1] == - AUDIT_PERM) - audit_permadded = 1; - else if (which == NEW && - rule_new->fields[rule_new->field_count-1] == + if (rule_new->fields[rule_new->field_count-1] == AUDIT_PERM) audit_permadded = 1; break; @@ -1385,8 +1380,7 @@ int key_match(struct audit_reply *rep) } if (((field >= AUDIT_SUBJ_USER && field <= AUDIT_OBJ_LEV_HIGH) && field != AUDIT_PPID) || field == AUDIT_WATCH || - field == AUDIT_WATCH || field == AUDIT_DIR || - field == AUDIT_FILTERKEY) { + field == AUDIT_DIR || field == AUDIT_FILTERKEY) { boffset += rep->ruledata->values[i]; } }