From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: NetLabel audit messages
Date: Fri, 22 Sep 2006 14:06:04 -0400
Message-ID: <200609221406.04068.sgrubb@redhat.com>
References: <45141FA4.5070901@hp.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <45141FA4.5070901@hp.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 22 September 2006 13:38, Paul Moore wrote:
> In order to meet certain certification requirements, the NetLabel kerne=
l
> subsystem needs to write a small number of audit messages.=20

What are the requirements you are addressing? (I have a feeling that its=20
similar to what we have to do to file systems.)

> For the messages themselves, here is what I was thinking:
>
> =A0"netlabel: <protocol> op=3D<operation> pid=3D<pid> tty=3D<tty> comm=3D=
<name>
> =A0 =A0 =A0 =A0 =A0 =A0 exe=3D<path> uid=3D<uid> auid=3D<auid> euid=3D<=
euid> suid=3D<suid>
> =A0 =A0 =A0 =A0 =A0 =A0 fsuid=3D<fsuid> gid=3D<gid> egid=3D<euid> sgid=3D=
<suid>
> =A0 =A0 =A0 =A0 =A0 =A0 fsgid=3D<fsuid> [<cipsov4 extras>|<managment ex=
tras>]"

This look very much like a syscall record...would it make sense to do thi=
s as=20
an aux record?

-Steve