Auditd port 60 access in RHEL 5.2
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 16 18:36:20 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan Gruhn wrote:
> Greetings,
>
> I am posting here a the suggestion of Steve Grubb from the linux-audit
> list. My apology for being on a Fedora list with a RHEL question but
> hopefully the reasoning will be apparent.
>
> I have a 64 bit RHEL 5.2 system that I have built and installed all of
> the necessary packages for the latest audit (1.7.11-1), prelude and
> prewikka. (I'd rather use Fedora, but the security people are more
> comfortable with RHEL). This all seems to be working fine on the
> central cluster server and now I'm trying to set up clients in the
> cluster nodes to report their audit information to the server. I've
> found the RHEL 5.3 release notes where it says:
>
>
> ...
>
> Because the auditd daemon is protected by SELinux, semanage (the
> SELinux policy management tool) must also have the same port listed
> in its database. If the server and client machines had all been
> configured to use port 60 for example, then running this command
> would accomplish this:
> semanage port -a -t audit_port_t -p tcp 60
>
> ...
>
>
> I'm trying to run the semanage command to let selinux know that port 60
> is acceptable for audit to use but I get the following error message
> when I run the command:
>
> # semanage port -a -t audit_port_t -p tcp 60
> libsepol.context_from_record: type audit_port_t is not defined
> libsepol.context_from_record: could not create context structure
> libsepol.port_from_record: could not create port structure for range
> 60:60 (tcp)
> libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp)
> libsemanage.dbase_policydb_modify: could not modify record value
> libsemanage.semanage_base_merge_components: could not merge local
> modifications into policy
> /usr/sbin/semanage: Could not add port tcp/60
>
> I'm not much of a wiz at selinux, but I can tell that the audit_port_t
> type doesn't exist. I'm stuck here because:
>
> 1) I don't know how to create new types in selinux
> 2) Even if I figured that out, I don't know how auditd would know to use
> that.
>
> I've looked at the auditd executable, it has types like this:
> -rwxr-x--- root root system_u:object_r:auditd_exec_t /sbin/auditd
>
> In talking with Steve I was hoping to somehow get the SELinux policy
> piece for auditd from 5.3 the add into the latest audit that I have
> compiled. He suggested that:
>
> You need to be using the SE Linux policy from the 5.3 update. Before
> 5.3, auditd never had a listening port and therefore selinux policy
> prior to it wouldn't have setup that type. I also think SE Linux policy
> may default to port 60 even though that port may not be guaranteed in
> the future.
>
>
> I told Steve that the system is a stand-alone in a secure environment
> and it is currently locked into 5.2 as we're working to get it approved
> by various powers. When I asked if there any way to get the SE Linux
> policy from the 5.3 update as a separate piece he replied:
>
> I was hoping Dan Walsh would answer...its possible, but I don't know
> if the selinux people pull it with a bunch of other changes into the
> reference policy or not. You might be able to just get the 5.3 policy
> and look for the audit files and transplant them into 5.2 policy and
> diff against original 52 policy to make a patch. You might need to ask
> on the Fedora-selinux mail list or the NSA selinux policy mail list if
> no one answers soon.
>
>
> Could someone give me some pointers and/or point me to something I could
> read to get me going? I have the 5.3 audit RPMs, but can't seem to find
> the right pieces.
>
> Thanks,
>
> Dan
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please upgrade to the U3 selinux policy. THat is where this is defined
I believe.
yum -y upgrade selinux-policy-targeted
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmZsiQACgkQrlYvE4MpobPlCQCfce7MlhMVWwl6hdb2CLGoYMhI
Qr4AnjDJ33XSU81FYZyc56oEqacTCW/2
=i41/
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list