Can I just upgrade selinux-policy-targeted to the U3 version on a 5.2
system? It seems like that might cause some other problems.
Dan
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan Gruhn wrote:
Greetings,
I am posting here a the suggestion of Steve Grubb from the linux-audit
list. My apology for being on a Fedora list with a RHEL question but
hopefully the reasoning will be apparent.
I have a 64 bit RHEL 5.2 system that I have built and installed all of
the necessary packages for the latest audit (1.7.11-1), prelude and
prewikka. (I'd rather use Fedora, but the security people are more
comfortable with RHEL). This all seems to be working fine on the
central cluster server and now I'm trying to set up clients in the
cluster nodes to report their audit information to the server. I've
found the RHEL 5.3 release notes where it says:
...
Because the auditd daemon is protected by SELinux, semanage (the
SELinux policy management tool) must also have the same port listed
in its database. If the server and client machines had all been
configured to use port 60 for example, then running this command
would accomplish this:
semanage port -a -t audit_port_t -p tcp 60
...
I'm trying to run the semanage command to let selinux know that port 60
is acceptable for audit to use but I get the following error message
when I run the command:
# semanage port -a -t audit_port_t -p tcp 60
libsepol.context_from_record: type audit_port_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.port_from_record: could not create port structure for range
60:60 (tcp)
libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp)
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy
/usr/sbin/semanage: Could not add port tcp/60
I'm not much of a wiz at selinux, but I can tell that the audit_port_t
type doesn't exist. I'm stuck here because:
1) I don't know how to create new types in selinux
2) Even if I figured that out, I don't know how auditd would know to use
that.
I've looked at the auditd executable, it has types like this:
-rwxr-x--- root root system_u:object_r:auditd_exec_t /sbin/auditd
In talking with Steve I was hoping to somehow get the SELinux policy
piece for auditd from 5.3 the add into the latest audit that I have
compiled. He suggested that:
You need to be using the SE Linux policy from the 5.3 update. Before
5.3, auditd never had a listening port and therefore selinux policy
prior to it wouldn't have setup that type. I also think SE Linux policy
may default to port 60 even though that port may not be guaranteed in
the future.
I told Steve that the system is a stand-alone in a secure environment
and it is currently locked into 5.2 as we're working to get it approved
by various powers. When I asked if there any way to get the SE Linux
policy from the 5.3 update as a separate piece he replied:
I was hoping Dan Walsh would answer...its possible, but I don't know
if the selinux people pull it with a bunch of other changes into the
reference policy or not. You might be able to just get the 5.3 policy
and look for the audit files and transplant them into 5.2 policy and
diff against original 52 policy to make a patch. You might need to ask
on the Fedora-selinux mail list or the NSA selinux policy mail list if
no one answers soon.
Could someone give me some pointers and/or point me to something I could
read to get me going? I have the 5.3 audit RPMs, but can't seem to find
the right pieces.
Thanks,
Dan
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please upgrade to the U3 selinux policy. THat is where this is defined
I believe.
yum -y upgrade selinux-policy-targeted
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmZsiQACgkQrlYvE4MpobPlCQCfce7MlhMVWwl6hdb2CLGoYMhI
Qr4AnjDJ33XSU81FYZyc56oEqacTCW/2
=i41/
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Dan Gruhn
Group W Inc.
8315 Lee Hwy, Suite 303
Fairfax, VA, 22031
PH: (703) 752-5831
FX: (703) 752-5851
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
