NetLabel audit messages

In order to meet certain certification requirements, the NetLabel kernel subsystem needs to write a small number of audit messages. From what I can tell this is going to require a new message type as well as agreement on the content and formatting of the messages themselves. Am I missing anything? For the new message type, I would like to propose the following: #define AUDIT_NLBL 1480 For the messages themselves, here is what I was thinking: "netlabel: <protocol> op=<operation> pid=<pid> tty=<tty> comm=<name> exe=<path> uid=<uid> auid=<auid> euid=<euid> suid=<suid> fsuid=<fsuid> gid=<gid> egid=<euid> sgid=<suid> fsgid=<fsuid> [<cipsov4 extras>|<managment extras>]" <protocol> => cipsov4 | unlabeled | management <operation> => (for protocol == cipsov4) add | del (for protocol == unlabeled) accept | deny (for protocol == management) map_add | map_delete <cipsov4 extras> => doi=<DOI #> type=<DOI type> <DOI #> => (CIPSO DOI value, i.e. unsigned 32-bit value) <DOI type> => std | pass <mangement extras> => domain=<domain> protocol=<protocol> [doi=<DOI #>] <domain> => "(domain string, i.e. foo_t)" | default Comments and suggestions are welcome. -- paul moore linux security @ hp