When analyzing the syslog entries, adjusting the time filter to a value less than the latest entry does not remove that entry from displaying.
Replicate:
cp /usr/bin/ls /usr/bin/my-ls
Add deny_syslog perm=open all : trust=1 to the rules file
start fapolicyd
su to a non-root user
run my-ls
Let a few minutes pass
Launch fapolicy-analyzer and Analyze -> Syslog
See that there is a syslog entry for my-ls
Adjust the time filter to 1 minute
View that the same syslog entry that is older than 1 minute is still present
When analyzing the syslog entries, adjusting the time filter to a value less than the latest entry does not remove that entry from displaying. Replicate:
cp /usr/bin/ls /usr/bin/my-ls
deny_syslog perm=open all : trust=1
to the rules filesu
to a non-root usermy-ls
fapolicy-analyzer
andAnalyze
->Syslog
my-ls