logprof and genprof should have an option to ignore/skip an entry in the audit.log _without_ adding an allow or deny rule to the profile. The intention is: it should be possible to postpone the decision about some permissions.
[19:41] <cboltz> I got a feature request to add a "skip" option to logprof/genprof
[19:41] <cboltz> in case someone wants to ignore a log entry without adding a allow or deny rule
[19:41] <cboltz> what do you thing about this?
[19:45] <jjohansen> cboltz: I am not opposed, though that was the primary purpose of deny
[19:45] <cboltz> I could argue that logprof had this feature before deny rules were introduced ;-)
[19:45] <jjohansen> basically it was a way recording that logprof has seen the event and told to skip it.
[19:46] <cboltz> I know
[19:46] <jjohansen> the problem with skip from a logprof pov is you run it through a log and then it exits, and then you run it again it has forgotten what to skip
[19:47] <cboltz> I know, this is exactly what this user requested ;-)
[19:47] <jjohansen> of course from a genprof pov, skip without adding deny rules makes perfect sense
[19:47] <jjohansen> as you never process the same logs twice
[19:47] <jjohansen> cboltz: so sure we can add it, but its pretty low priority
The python utils in bzr trunk have this feature :-)