Auditd port 60 access in RHEL 5.2

Dan Gruhn Dan.Gruhn at groupw.com
Mon Feb 16 19:12:08 UTC 2009 

Can I just upgrade selinux-policy-targeted to the U3 version on a 5.2 
system? It seems like that might cause some other problems.

Dan
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dan Gruhn wrote:
>   
>> Greetings,
>>
>> I am posting here a the suggestion of Steve Grubb from the linux-audit
>> list.  My apology for being on a Fedora list with a RHEL question but
>> hopefully the reasoning will be apparent.
>>
>> I have a 64 bit RHEL 5.2 system that I have built and installed all of
>> the necessary packages for the latest audit (1.7.11-1), prelude and
>> prewikka. (I'd rather use Fedora, but the security people are more
>> comfortable with RHEL).  This all seems to be working fine on the
>> central cluster server and now I'm trying to set up clients in the
>> cluster nodes to report their audit information to the server.  I've
>> found the  RHEL 5.3 release notes where it says:
>>
>>
>> ...
>>
>>    Because the auditd daemon is protected by SELinux, semanage (the
>>    SELinux policy management tool) must also have the same port listed
>>    in its database. If the server and client machines had all been
>>    configured to use port 60 for example, then running this command
>>    would accomplish this:
>>    semanage port -a -t audit_port_t -p tcp 60
>>
>> ...
>>
>>
>> I'm trying to run the semanage command to let selinux know that port 60
>> is acceptable for audit to use but I get the following error message
>> when I run the command:
>>
>>    # semanage port -a -t audit_port_t -p tcp 60
>>    libsepol.context_from_record: type audit_port_t is not defined
>>    libsepol.context_from_record: could not create context structure
>>    libsepol.port_from_record: could not create port structure for range
>>    60:60 (tcp)
>>    libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp)
>>    libsemanage.dbase_policydb_modify: could not modify record value
>>    libsemanage.semanage_base_merge_components: could not merge local
>>    modifications into policy
>>    /usr/sbin/semanage: Could not add port tcp/60
>>
>> I'm not much of a wiz at selinux, but I can tell that the audit_port_t
>> type doesn't exist.  I'm stuck here because:
>>
>> 1) I don't know how to create new types in selinux
>> 2) Even if I figured that out, I don't know how auditd would know to use
>> that.
>>
>> I've looked at the auditd executable, it has types like this:
>> -rwxr-x---  root root system_u:object_r:auditd_exec_t  /sbin/auditd
>>
>> In talking with Steve I was hoping to somehow get the SELinux policy
>> piece for auditd from 5.3 the add into the latest audit that I have
>> compiled.  He suggested that:
>>
>>    You need to be using the SE Linux policy from the 5.3 update. Before
>> 5.3, auditd never had a listening port and therefore selinux policy
>> prior to it wouldn't have setup that type. I also think SE Linux policy
>> may default to port 60 even though that port may not be guaranteed in
>> the future.
>>
>>     
>> I told Steve that the system is a stand-alone in a secure environment
>> and it is currently locked into 5.2 as we're working to get it approved
>> by various powers.  When I asked if there any way to get the SE Linux
>> policy from the 5.3 update as a separate piece he replied:
>>
>>    I was hoping Dan Walsh would answer...its possible, but I don't know
>> if the selinux people pull it with a bunch of other changes into the
>> reference policy or not. You might be able to just get the 5.3 policy
>> and look for the audit files and transplant them into 5.2 policy and
>> diff against original 52 policy to make a patch. You might need to ask
>> on the Fedora-selinux mail list or the NSA selinux policy mail list if
>> no one answers soon.
>>
>>     
>> Could someone give me some pointers and/or point me to something I could
>> read to get me going?  I have the 5.3 audit RPMs, but can't seem to find
>> the right pieces.
>>
>> Thanks,
>>
>> Dan
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>     
> Please upgrade to the U3 selinux policy.  THat is where this is defined
> I believe.
>
> yum -y upgrade selinux-policy-targeted
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkmZsiQACgkQrlYvE4MpobPlCQCfce7MlhMVWwl6hdb2CLGoYMhI
> Qr4AnjDJ33XSU81FYZyc56oEqacTCW/2
> =i41/
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   

-- 
Dan Gruhn
Group W Inc.
8315 Lee Hwy, Suite 303
Fairfax, VA, 22031
PH: (703) 752-5831
FX: (703) 752-5851

More information about the fedora-selinux-list mailing list