Thanks for sending the audit records. > # netlabelctl unlbl accept on > > type=UNKNOWN[1406] msg=audit(1159362394.806:420): netlabel: module=unlbl > action=accept auid=0 uid=0 euid=0 tty=pts0 pid=6711 comm="netlabelctl" > exe="/usr/local/sbin/netlabelctl" > > (there is also an audit message for "unlbl accept off" which changes > "action=accept" to "action=deny")
One nit-picky comment is that once the user-space tools know about the message type and insert "MAC_UNLBL_ACCEPT" as the type, the module= and action= fields will be somewhat redundant. I think the same is true for the other types of audit records. You could omit the switch statement in netlbl_audit_start_common() and shorten the audit records if we rely on the audit record type to provide that module/action information. -- ljk -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
