AUDIT_NETFILTER_PKT message format
Paul Moore
paul at paul-moore.com
Tue Jan 17 20:17:47 UTC 2017
On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2017-01-17 08:55, Steve Grubb wrote:
>> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
...
>> > Ones that are not so straightforward:
>> > - "secmark" depends on a kernel config setting, so should it always be
>> > present but "(none)" if that kernel feature is compiled out?
>>
>> If this is selinux related, I'd treat it the same way that we do subj
>> everywhere else.
>
> Ok.
To be clear, a packet's secmark should be recorded via a dedicated
field, e.g. "secmark", and not use the "subj" field (it isn't a
subject label in the traditional sense).
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list