Greetings,
I am posting here a the suggestion of Steve Grubb from the linux-audit
list. My apology for being on a Fedora list with a RHEL question but
hopefully the reasoning will be apparent.
I have a 64 bit RHEL 5.2 system that I have built and installed all of
the necessary packages for the latest audit (1.7.11-1), prelude and
prewikka. (I'd rather use Fedora, but the security people are more
comfortable with RHEL). This all seems to be working fine on the
central cluster server and now I'm trying to set up clients in the
cluster nodes to report their audit information to the server. I've
found the RHEL 5.3 release notes where it says:
...
Because the auditd daemon is protected by SELinux, semanage (the
SELinux policy management tool) must also have the same port listed
in its database. If the server and client machines had all been
configured to use port 60 for example, then running this command
would accomplish this:
semanage port -a -t audit_port_t -p tcp 60
...
I'm trying to run the semanage command to let selinux know that port 60
is acceptable for audit to use but I get the following error message
when I run the command:
# semanage port -a -t audit_port_t -p tcp 60
libsepol.context_from_record: type audit_port_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.port_from_record: could not create port structure for range
60:60 (tcp)
libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp)
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy
/usr/sbin/semanage: Could not add port tcp/60
I'm not much of a wiz at selinux, but I can tell that the audit_port_t
type doesn't exist. I'm stuck here because:
1) I don't know how to create new types in selinux
2) Even if I figured that out, I don't know how auditd would know to use
that.
I've looked at the auditd executable, it has types like this:
-rwxr-x--- root root system_u:object_r:auditd_exec_t /sbin/auditd
In talking with Steve I was hoping to somehow get the SELinux policy
piece for auditd from 5.3 the add into the latest audit that I have
compiled. He suggested that:
You need to be using the SE Linux policy from the 5.3 update. Before 5.3, auditd never had a listening port and therefore selinux policy prior to it wouldn't have setup that type. I also think SE Linux policy may default to port 60 even though that port may not be guaranteed in the future.
I told Steve that the system is a stand-alone in a secure environment
and it is currently locked into 5.2 as we're working to get it approved
by various powers. When I asked if there any way to get the SE Linux
policy from the 5.3 update as a separate piece he replied:
I was hoping Dan Walsh would answer...its possible, but I don't know if the selinux people pull it with a bunch of other changes into the reference policy or not. You might be able to just get the 5.3 policy and look for the audit files and transplant them into 5.2 policy and diff against original 52 policy to make a patch. You might need to ask on the Fedora-selinux mail list or the NSA selinux policy mail list if no one answers soon.
Could someone give me some pointers and/or point me to something I could
read to get me going? I have the 5.3 audit RPMs, but can't seem to find
the right pieces.
Thanks,
Dan
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
