On Thu, Jun 4, 2020 at 4:30 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Tue, Jun 2, 2020 at 10:21 AM Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > > > > At least on Debian, /etc/protocols, which is used by > > socket.getprotobyname() to resolve protocols to names, does not > > contain an entry for "ipv4", so let's avoid using > > socket.getprotobyname() since the protocol names are not used in > > socket context anyway. > > > > Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx> > > Only concern I have here is that it could change the resulting audit > record content. Not sure how the audit people feel about that. > Maybe ask on linux-audit mailing list? If/when you do, it would be good to show before/after audit records. However, record formatting is a very tricky issue and it's best to not change them unless absolutely necessary. -- paul moore www.paul-moore.com
