It looks like the way the auditing code is using netlink there can only be
one user space process that recieves auditing messages.
Is this correct?
I was looking into using auditing for monitoring the lifetime of a set of
processes, but I don't want my super-init type of component to rule out using
SELinux (or whatever else was planning on consuming auditing messages.)
Assuming I understood the code correctly, would a patch that enabled multiple
auditing consumers be in-line with the goals of the sycall auditing mechanism?
--rusty