Fix issue #2020

[ddpbsd]

trafficstars

/bin/diff returns /dev/full on fedora, so remove the /dev check

[sempervictus]

I've been using

  <rule id="730004" level="4">
    <if_sid>510</if_sid>
    <field name="file">bin/mail$|bin/diff$</field>
    <description>False-positive match for rootcheck regex</description>
  </rule>

for this lately - spams on Arch like you wouldn't believe :)