Linda Knippers wrote: > Thanks for sending the audit records. > >> # netlabelctl unlbl accept on >> >>type=UNKNOWN[1406] msg=audit(1159362394.806:420): netlabel: module=unlbl >>action=accept auid=0 uid=0 euid=0 tty=pts0 pid=6711 comm="netlabelctl" >>exe="/usr/local/sbin/netlabelctl" >> >> (there is also an audit message for "unlbl accept off" which changes >> "action=accept" to "action=deny") > > One nit-picky comment is that once the user-space tools know about the > message type and insert "MAC_UNLBL_ACCEPT" as the type, the module= > and action= fields will be somewhat redundant. I think the same is > true for the other types of audit records. You could omit the switch > statement in netlbl_audit_start_common() and shorten the audit records > if we rely on the audit record type to provide that module/action information.
I've received similar comments from others as well, I plan on dropping those two fields in the next release of the patch. Speaking on which, I should have the next release out later today, I'm just waiting on some feedback to see if it meets all of the LSPP certification requirements. -- paul moore linux security @ hp -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit