Version-Release number of selected component (if applicable): audit-1.7.3-1.fc9 Steps to Reproduce: 1. auditctl -a exit,always -F path=/etc/anacrontab -F arch=i386 -S afs_syscall -k mydir 2. auditctl -w /etc/anacrontab -F arch=i386 -S afs_syscall -k mydir Actual results: 1. succeeds 2. fails with "-F arch must be before -S" Expected results: 2. succeeds - 1. and 2. are really the same rule.
The second form is expected to fail. The -w rule construct is for backwards compatibility with RHEL4. Its limited to just -k and -p options. Any other option should fail. To use the advanced features of the new rule/watch system, you should express the rules in the form of syscall auditing with a path or dir field option.
Thanks, I have modified system-config-audit to respect these rules. Other users might find them useful, please document them in auditctl(8). The existing error message should be more general, currently the error message reports something that obviously isn't true.
I agree that this could be better explained. I'll see if we can update the man pages as well as auditctl.
A better explanation was added in svn commit 193. Closing this out. Thanks for pointing out the documentation problem.