add a warning about a large log volume

Arden97 · Arden97 · commit 65b278f162ee · 2026-02-10T18:35:47.000+01:00
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml
@@ -4,6 +4,8 @@ title: 'Record Events that Modify the System''s Mandatory Access Controls in /va
 
 description: |-
     {{{ describe_audit_rules_watch("/var/lib/selinux/", "MAC-policy") }}}
+    Note that monitoring /var/lib/selinux/ will generate a significant burst of audit events
+    during both selinux-policy* package upgrade and policy rebuild.
 
 rationale: |-
     The system's mandatory access policy (SELinux) should not be
