Remote audit clients on RHEL 5.2
Dan Gruhn
Dan.Gruhn at groupw.com
Tue Feb 17 18:43:08 UTC 2009
I talked with the folks on the fedora-selinux-list and here is the
result of that discussion:
The text file (auditd.te) for the proper SELinux policy module is as
follows:
-----------
module auditd 0.0.3;
require {
class tcp_socket accept;
type auditd_t;
attribute reserved_port_type;
class tcp_socket { name_bind };
}
type audit_port_t;
typeattribute audit_port_t reserved_port_type;
allow auditd_t audit_port_t:tcp_socket { name_bind };
allow auditd_t self:tcp_socket accept;
---------------
Once you have the auditd.te file, you can compile it and check it for
any errors:
checkmodule -M -m -o auditd.mod auditd.te
If you have no errors, you can then package the .mod file:
semodule_package -o auditd.pp -m auditd.pp
After packaging, insert it into SELinux:
semodule -i auditd.pp
You should now be able to find the policy module using the
system-config-selinux GUI.
After all of that, the port can be enable under SELinux as per the RHEL
5.3 release notes:
semanage port -a -t audit_port_t -p tcp 60
My systems are now running clean. Thanks for the help.
Dan
Steve Grubb wrote:
> On Thursday 12 February 2009 12:48:47 pm Dan Gruhn wrote:
>
>> My system is a stand-alone in a secure environment so I can't just run a
>> piece of software and get an update, and it is currently locked into 5.2
>> as we're working to get it approved by various powers. Is there any way
>> to get the SE Linux policy from the 5.3 update as a separate piece?
>>
>
> I was hoping Dan Walsh would answer...its possible, but I don't know if the
> selinux people pull it with a bunch of other changes into the reference
> policy or not. You might be able to just get the 5.3 policy and look for the
> audit files and transplant them into 5.2 policy and diff against original 52
> policy to make a patch. You might need to ask on the Fedora-selinux mail list
> or the NSA selinux policy mail list if no one answers soon.
>
> -Steve
>
--
Dan Gruhn
Group W Inc.
8315 Lee Hwy, Suite 303
Fairfax, VA, 22031
PH: (703) 752-5831
FX: (703) 752-5851
More information about the Linux-audit
mailing list