Hey Steve,
In the DAEMON_END message, it seems like the subj context is cut short:
type=DAEMON_END msg=audit(1153997923.281:9429) auditd normal halt,
sending auid=0 pid=3218 subj=root:staff_r:staff, auditd pid=3209
vs
type=CONFIG_CHANGE msg=audit(1153997824.379:314): audit_enabled=1 old=1
by auid=0 subj=root:staff_r:staff_t:s0-s15:c0.c255
CONFIG_CHANGE and others include the MLS label, but DAEMON_END does
not... is this by design or an oversight?
Thanks,
Mike
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
