Auditd port 60 access in RHEL 5.2

Daniel J Walsh dwalsh at redhat.com
Mon Feb 16 22:55:21 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Gruhn wrote:
> Can I just upgrade selinux-policy-targeted to the U3 version on a 5.2
> system? It seems like that might cause some other problems.
> 
> Dan
> Daniel J Walsh wrote:
> Dan Gruhn wrote:
>  
>>>> Greetings,
>>>>
>>>> I am posting here a the suggestion of Steve Grubb from the linux-audit
>>>> list.  My apology for being on a Fedora list with a RHEL question but
>>>> hopefully the reasoning will be apparent.
>>>>
>>>> I have a 64 bit RHEL 5.2 system that I have built and installed all of
>>>> the necessary packages for the latest audit (1.7.11-1), prelude and
>>>> prewikka. (I'd rather use Fedora, but the security people are more
>>>> comfortable with RHEL).  This all seems to be working fine on the
>>>> central cluster server and now I'm trying to set up clients in the
>>>> cluster nodes to report their audit information to the server.  I've
>>>> found the  RHEL 5.3 release notes where it says:
>>>>
>>>>
>>>> ...
>>>>
>>>>    Because the auditd daemon is protected by SELinux, semanage (the
>>>>    SELinux policy management tool) must also have the same port listed
>>>>    in its database. If the server and client machines had all been
>>>>    configured to use port 60 for example, then running this command
>>>>    would accomplish this:
>>>>    semanage port -a -t audit_port_t -p tcp 60
>>>>
>>>> ...
>>>>
>>>>
>>>> I'm trying to run the semanage command to let selinux know that port 60
>>>> is acceptable for audit to use but I get the following error message
>>>> when I run the command:
>>>>
>>>>    # semanage port -a -t audit_port_t -p tcp 60
>>>>    libsepol.context_from_record: type audit_port_t is not defined
>>>>    libsepol.context_from_record: could not create context structure
>>>>    libsepol.port_from_record: could not create port structure for range
>>>>    60:60 (tcp)
>>>>    libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp)
>>>>    libsemanage.dbase_policydb_modify: could not modify record value
>>>>    libsemanage.semanage_base_merge_components: could not merge local
>>>>    modifications into policy
>>>>    /usr/sbin/semanage: Could not add port tcp/60
>>>>
>>>> I'm not much of a wiz at selinux, but I can tell that the audit_port_t
>>>> type doesn't exist.  I'm stuck here because:
>>>>
>>>> 1) I don't know how to create new types in selinux
>>>> 2) Even if I figured that out, I don't know how auditd would know to use
>>>> that.
>>>>
>>>> I've looked at the auditd executable, it has types like this:
>>>> -rwxr-x---  root root system_u:object_r:auditd_exec_t  /sbin/auditd
>>>>
>>>> In talking with Steve I was hoping to somehow get the SELinux policy
>>>> piece for auditd from 5.3 the add into the latest audit that I have
>>>> compiled.  He suggested that:
>>>>
>>>>    You need to be using the SE Linux policy from the 5.3 update. Before
>>>> 5.3, auditd never had a listening port and therefore selinux policy
>>>> prior to it wouldn't have setup that type. I also think SE Linux policy
>>>> may default to port 60 even though that port may not be guaranteed in
>>>> the future.
>>>>
>>>>     I told Steve that the system is a stand-alone in a secure
>>>> environment
>>>> and it is currently locked into 5.2 as we're working to get it approved
>>>> by various powers.  When I asked if there any way to get the SE Linux
>>>> policy from the 5.3 update as a separate piece he replied:
>>>>
>>>>    I was hoping Dan Walsh would answer...its possible, but I don't know
>>>> if the selinux people pull it with a bunch of other changes into the
>>>> reference policy or not. You might be able to just get the 5.3 policy
>>>> and look for the audit files and transplant them into 5.2 policy and
>>>> diff against original 52 policy to make a patch. You might need to ask
>>>> on the Fedora-selinux mail list or the NSA selinux policy mail list if
>>>> no one answers soon.
>>>>
>>>>     Could someone give me some pointers and/or point me to something
>>>> I could
>>>> read to get me going?  I have the 5.3 audit RPMs, but can't seem to find
>>>> the right pieces.
>>>>
>>>> Thanks,
>>>>
>>>> Dan
>>>>
>>>> -- 
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>     
> Please upgrade to the U3 selinux policy.  THat is where this is defined
> I believe.
> 
> yum -y upgrade selinux-policy-targeted
>>
- --
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

It should not cause any problems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmZ7tkACgkQrlYvE4MpobNFMgCfWOXmxVyfC0PxkrCPmVLZf0OS
ZFUAmwXtfVgrprSpIbZLJWIs4133niS7
=xU1a
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list