The audit rule field types AUDIT_SUBJ_* and AUDIT_OBJ_* are defined generically and used by both SELinux and Smack to identify fields that are interesting to them. If SELinux and Smack are running concurrently both modules will identify audit rules as theirs if either has requested the field. Before I go off and create a clever solution I think it wise to ask if anyone has thought about or has strong opinions on how best to address this unfortunate situation.
We know that SELinux and Smack together is not an especially interesting configuration. It is, however, a grand test case for generality of the solution. Any module that wanted to audit fields that are defined generically will have this sort of problem. Thanks -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
