Auditd port 60 access in RHEL 5.2

[Dan Gruhn]

Greetings,

I am posting here a the suggestion of Steve Grubb from the linux-audit 
list.  My apology for being on a Fedora list with a RHEL question but 
hopefully the reasoning will be apparent.

I have a 64 bit RHEL 5.2 system that I have built and installed all of 
the necessary packages for the latest audit (1.7.11-1), prelude and 
prewikka. (I'd rather use Fedora, but the security people are more 
comfortable with RHEL).  This all seems to be working fine on the 
central cluster server and now I'm trying to set up clients in the 
cluster nodes to report their audit information to the server.  I've 
found the  RHEL 5.3 release notes where it says:


...

    Because the auditd daemon is protected by SELinux, semanage (the
    SELinux policy management tool) must also have the same port listed
    in its database. If the server and client machines had all been
    configured to use port 60 for example, then running this command
    would accomplish this: 

    semanage port -a -t audit_port_t -p tcp 60

...


I'm trying to run the semanage command to let selinux know that port 60 
is acceptable for audit to use but I get the following error message 
when I run the command:

    # semanage port -a -t audit_port_t -p tcp 60
    libsepol.context_from_record: type audit_port_t is not defined
    libsepol.context_from_record: could not create context structure
    libsepol.port_from_record: could not create port structure for range
    60:60 (tcp)
    libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp)
    libsemanage.dbase_policydb_modify: could not modify record value
    libsemanage.semanage_base_merge_components: could not merge local
    modifications into policy
    /usr/sbin/semanage: Could not add port tcp/60

I'm not much of a wiz at selinux, but I can tell that the audit_port_t 
type doesn't exist.  I'm stuck here because:

1) I don't know how to create new types in selinux
2) Even if I figured that out, I don't know how auditd would know to use 
that.

I've looked at the auditd executable, it has types like this:
-rwxr-x---  root root system_u:object_r:auditd_exec_t  /sbin/auditd

In talking with Steve I was hoping to somehow get the SELinux policy 
piece for auditd from 5.3 the add into the latest audit that I have 
compiled.  He suggested that:

    You need to be using the SE Linux policy from the 5.3 update. Before 5.3, auditd never had a listening port and therefore selinux policy prior to it wouldn't have setup that type. I also think SE Linux policy may default to port 60 even though that port may not be guaranteed in the future.

      

I told Steve that the system is a stand-alone in a secure environment 
and it is currently locked into 5.2 as we're working to get it approved 
by various powers.  When I asked if there any way to get the SE Linux 
policy from the 5.3 update as a separate piece he replied:

    I was hoping Dan Walsh would answer...its possible, but I don't know if the selinux people pull it with a bunch of other changes into the reference policy or not. You might be able to just get the 5.3 policy and look for the audit files and transplant them into 5.2 policy and diff against original 52 policy to make a patch. You might need to ask on the Fedora-selinux mail list or the NSA selinux policy mail list if no one answers soon.

      

Could someone give me some pointers and/or point me to something I could 
read to get me going?  I have the 5.3 audit RPMs, but can't seem to find 
the right pieces.

Thanks,

Dan