Re: AUDIT_NETFILTER_PKT message format

On 2017-01-17 15:17, Paul Moore wrote: > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > > On 2017-01-17 08:55, Steve Grubb wrote: > >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote: > > ... > > >> > Ones that are not so straightforward: > >> > - "secmark" depends on a kernel config setting, so should it always be > >> > present but "(none)" if that kernel feature is compiled out? > >> > >> If this is selinux related, I'd treat it the same way that we do subj > >> everywhere else. > > > > Ok. > > To be clear, a packet's secmark should be recorded via a dedicated > field, e.g. "secmark", and not use the "subj" field (it isn't a > subject label in the traditional sense). I think Steve was talking about if, when or where to include that field, not what its label is.

> paul moore - RGB