I think this new information should be added at the end of the string.
In other words:
type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=3
len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312
proto=6 sport=56150 dport=22 subj=system_u:object_r:sshd_packet_t:s0
As I am currently discussing this very issue (adding SELinux context to
AUDIT) on the audit mail list, it was pointed out that "subj" should
actually be "obj" as this is an object (i.e. a packet) on which this is
applied, so that would ultimately mean:
type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=3
len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312
proto=6 sport=56150 dport=22 obj=system_u:object_r:sshd_packet_t:s0
I also need to check as I think the order is also important, otherwise
ausearch/aureport may skip this due to "misconfiguration".
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
