On 26/05/11 19:03, Mr Dash Four wrote: >> I think this new information should be added at the end of the string. >> > In other words: > > type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=3 > len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 > proto=6 sport=56150 dport=22 subj=system_u:object_r:sshd_packet_t:s0 > > As I am currently discussing this very issue (adding SELinux context to > AUDIT) on the audit mail list, it was pointed out that "subj" should > actually be "obj" as this is an object (i.e. a packet) on which this is > applied, so that would ultimately mean: > > type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=3 > len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 > proto=6 sport=56150 dport=22 obj=system_u:object_r:sshd_packet_t:s0 OK, that's fine. > I also need to check as I think the order is also important, otherwise > ausearch/aureport may skip this due to "misconfiguration". I was spotting this because we don't want to break any existing FOSS application that parses the output. Adding things at the end seems to me like the better way to avoid this? So, please, make sure that we don't break anything. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
