Dalibor Pospíšil

I fully understand. If I have some time and dig into the code I may come with some patch.

Actually I did not realize it is java and I do not know java well. So I probably won't come with a patch :-(

Actually, I agree with @rmetrich that his usecase is more common so I would not hesitate to even change the default. I think it is much nicer situation that rsyslog...

It would be also good if the logging could happen to every configured destination at the same time. I.e. `deny_log` would emit _audit message_, _syslog message_ and _debug message_ if...

I'm not sure what do you mean by override. There would not be any concurent settings / rules. Rule would say send an audit message and configuration would define where...

Let me revise this idea again and explain it a bit better, hopefully. I have basically two reasons for this feature: 1. no need to change the default rules just...

During my testing I was able to trigger the events on rhel-8 via a service restart, however I saw also other ppids.. ``` rule=1 dec=allow perm=execute auid=-1 pid=538593 ppid=2 exe=kworker/u6:3...

There are publicly available tests in [1]. It should be quite easy to enable it via packit. I plan to created a PR for that but I did not get...

The scriptlet use `rpm -V` directly to check for changed of _fapolicyd.rules_. Better way would be to use some internal call but I do not know if there is any.

There's also an updated test for the updated behavior https://github.com/RedHat-SP-Security/tests/tree/sopos-rules-d-default-rules-maintained/fapolicyd/Sanity/rules-d