Hello, What I'm thinking about is either to create a new capabilities message or piggyback the info onto the get status message. What we need to know is what configurable subsystem in included in the kernel. For example, CONFIG_AUDITSYSCALL and CONFIG_AUDITFILESYSTEM should enable individual messages. Any new auditing subsystem in the future would add a message so that old tools can warn about a more capable kernel. Also, when we start doing LSPP, we probably need to known whether or not the kernel supports labled subjects & objects. If we ever split netlink into control and data channels, this would be the place to tell user space. The audit daemon could query capabilities, see the kernel supports dual channel and open another netlink socket. Older kernels won't have this so we stay on the same socket. (Not that this will ever happen...but if it did, this would help tools adapt.) -Steve