The kernel audit code only creates a socket in the initial network namespace. It should listen and accept data from any network namespace.
Started on it 2013-07-05. eparis suggested starting with register_pernet_subsys(). a test case of: - run clone() or unshare() with CLONE_NEWNET flag - run: ip netns add TESTNET; ip netns exec TESTNET bash; auditctl -s
Posted patch upstream to linux-audit, lkml: https://www.redhat.com/archives/linux-audit/2013-July/msg00027.html https://lkml.org/lkml/2013/7/16/526
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle. Changing version to '20'. More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20