-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dan Gruhn wrote: > Can I just upgrade selinux-policy-targeted to the U3 version on a 5.2 > system? It seems like that might cause some other problems. > > Dan > Daniel J Walsh wrote: > Dan Gruhn wrote: > >>>> Greetings, >>>> >>>> I am posting here a the suggestion of Steve Grubb from the linux-audit >>>> list. My apology for being on a Fedora list with a RHEL question but >>>> hopefully the reasoning will be apparent. >>>> >>>> I have a 64 bit RHEL 5.2 system that I have built and installed all of >>>> the necessary packages for the latest audit (1.7.11-1), prelude and >>>> prewikka. (I'd rather use Fedora, but the security people are more >>>> comfortable with RHEL). This all seems to be working fine on the >>>> central cluster server and now I'm trying to set up clients in the >>>> cluster nodes to report their audit information to the server. I've >>>> found the RHEL 5.3 release notes where it says: >>>> >>>> >>>> ... >>>> >>>> Because the auditd daemon is protected by SELinux, semanage (the >>>> SELinux policy management tool) must also have the same port listed >>>> in its database. If the server and client machines had all been >>>> configured to use port 60 for example, then running this command >>>> would accomplish this: >>>> semanage port -a -t audit_port_t -p tcp 60 >>>> >>>> ... >>>> >>>> >>>> I'm trying to run the semanage command to let selinux know that port 60 >>>> is acceptable for audit to use but I get the following error message >>>> when I run the command: >>>> >>>> # semanage port -a -t audit_port_t -p tcp 60 >>>> libsepol.context_from_record: type audit_port_t is not defined >>>> libsepol.context_from_record: could not create context structure >>>> libsepol.port_from_record: could not create port structure for range >>>> 60:60 (tcp) >>>> libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp) >>>> libsemanage.dbase_policydb_modify: could not modify record value >>>> libsemanage.semanage_base_merge_components: could not merge local >>>> modifications into policy >>>> /usr/sbin/semanage: Could not add port tcp/60 >>>> >>>> I'm not much of a wiz at selinux, but I can tell that the audit_port_t >>>> type doesn't exist. I'm stuck here because: >>>> >>>> 1) I don't know how to create new types in selinux >>>> 2) Even if I figured that out, I don't know how auditd would know to use >>>> that. >>>> >>>> I've looked at the auditd executable, it has types like this: >>>> -rwxr-x--- root root system_u:object_r:auditd_exec_t /sbin/auditd >>>> >>>> In talking with Steve I was hoping to somehow get the SELinux policy >>>> piece for auditd from 5.3 the add into the latest audit that I have >>>> compiled. He suggested that: >>>> >>>> You need to be using the SE Linux policy from the 5.3 update. Before >>>> 5.3, auditd never had a listening port and therefore selinux policy >>>> prior to it wouldn't have setup that type. I also think SE Linux policy >>>> may default to port 60 even though that port may not be guaranteed in >>>> the future. >>>> >>>> I told Steve that the system is a stand-alone in a secure >>>> environment >>>> and it is currently locked into 5.2 as we're working to get it approved >>>> by various powers. When I asked if there any way to get the SE Linux >>>> policy from the 5.3 update as a separate piece he replied: >>>> >>>> I was hoping Dan Walsh would answer...its possible, but I don't know >>>> if the selinux people pull it with a bunch of other changes into the >>>> reference policy or not. You might be able to just get the 5.3 policy >>>> and look for the audit files and transplant them into 5.2 policy and >>>> diff against original 52 policy to make a patch. You might need to ask >>>> on the Fedora-selinux mail list or the NSA selinux policy mail list if >>>> no one answers soon. >>>> >>>> Could someone give me some pointers and/or point me to something >>>> I could >>>> read to get me going? I have the 5.3 audit RPMs, but can't seem to find >>>> the right pieces. >>>> >>>> Thanks, >>>> >>>> Dan >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list@xxxxxxxxxx >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> > Please upgrade to the U3 selinux policy. THat is where this is defined > I believe. > > yum -y upgrade selinux-policy-targeted >> - -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list It should not cause any problems. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmZ7tkACgkQrlYvE4MpobNFMgCfWOXmxVyfC0PxkrCPmVLZf0OS ZFUAmwXtfVgrprSpIbZLJWIs4133niS7 =xU1a -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
