Remote audit clients on RHEL 5.2

Dan Gruhn Dan.Gruhn at groupw.com
Tue Feb 17 18:43:08 UTC 2009 

I talked with the folks on the fedora-selinux-list and here is the 
result of that discussion:

The text file (auditd.te) for the proper SELinux policy module is as 
follows:
-----------
module auditd 0.0.3;
require {
        class tcp_socket accept;
        type auditd_t;
        attribute reserved_port_type;
        class tcp_socket { name_bind };
}
type audit_port_t;
typeattribute audit_port_t reserved_port_type;
allow auditd_t audit_port_t:tcp_socket { name_bind };
allow auditd_t self:tcp_socket accept;
---------------

Once you have the auditd.te file, you can compile it and check it for 
any errors:

checkmodule -M -m -o auditd.mod auditd.te

If you have no errors, you can then package the .mod file:

semodule_package -o auditd.pp -m auditd.pp

After packaging, insert it into SELinux:

semodule -i auditd.pp

You should now be able to find the policy module using the 
system-config-selinux GUI.

After all of that, the port can be enable under SELinux as per the RHEL 
5.3 release notes:

semanage port -a -t audit_port_t -p tcp 60

My systems are now running clean.  Thanks for the help.

Dan

Steve Grubb wrote:
> On Thursday 12 February 2009 12:48:47 pm Dan Gruhn wrote:
>   
>> My system is a stand-alone in a secure environment so I can't just run a
>> piece of software and get an update, and it is currently locked into 5.2
>> as we're working to get it approved by various powers.  Is there any way
>> to get the SE Linux policy from the 5.3 update as a separate piece?
>>     
>
> I was hoping Dan Walsh would answer...its possible, but I don't know if the 
> selinux people pull it with a bunch of other changes into the reference 
> policy or not. You might be able to just get the 5.3 policy and look for the 
> audit files and transplant them into 5.2 policy and diff against original 52 
> policy to make a patch. You might need to ask on the Fedora-selinux mail list 
> or the NSA selinux policy mail list if no one answers soon.
>
> -Steve
>   

-- 
Dan Gruhn
Group W Inc.
8315 Lee Hwy, Suite 303
Fairfax, VA, 22031
PH: (703) 752-5831
FX: (703) 752-5851

More information about the Linux-audit mailing list