From: Dan Gruhn <Dan.Gruhn@groupw.com>
To: linux-audit@redhat.com
Subject: Re: Remote audit clients on RHEL 5.2
Date: Tue, 17 Feb 2009 13:43:08 -0500 [thread overview]
Message-ID: <499B053C.3050209@groupw.com> (raw)
In-Reply-To: <200902121338.50329.sgrubb@redhat.com>
I talked with the folks on the fedora-selinux-list and here is the
result of that discussion:
The text file (auditd.te) for the proper SELinux policy module is as
follows:
-----------
module auditd 0.0.3;
require {
class tcp_socket accept;
type auditd_t;
attribute reserved_port_type;
class tcp_socket { name_bind };
}
type audit_port_t;
typeattribute audit_port_t reserved_port_type;
allow auditd_t audit_port_t:tcp_socket { name_bind };
allow auditd_t self:tcp_socket accept;
---------------
Once you have the auditd.te file, you can compile it and check it for
any errors:
checkmodule -M -m -o auditd.mod auditd.te
If you have no errors, you can then package the .mod file:
semodule_package -o auditd.pp -m auditd.pp
After packaging, insert it into SELinux:
semodule -i auditd.pp
You should now be able to find the policy module using the
system-config-selinux GUI.
After all of that, the port can be enable under SELinux as per the RHEL
5.3 release notes:
semanage port -a -t audit_port_t -p tcp 60
My systems are now running clean. Thanks for the help.
Dan
Steve Grubb wrote:
> On Thursday 12 February 2009 12:48:47 pm Dan Gruhn wrote:
>
>> My system is a stand-alone in a secure environment so I can't just run a
>> piece of software and get an update, and it is currently locked into 5.2
>> as we're working to get it approved by various powers. Is there any way
>> to get the SE Linux policy from the 5.3 update as a separate piece?
>>
>
> I was hoping Dan Walsh would answer...its possible, but I don't know if the
> selinux people pull it with a bunch of other changes into the reference
> policy or not. You might be able to just get the 5.3 policy and look for the
> audit files and transplant them into 5.2 policy and diff against original 52
> policy to make a patch. You might need to ask on the Fedora-selinux mail list
> or the NSA selinux policy mail list if no one answers soon.
>
> -Steve
>
--
Dan Gruhn
Group W Inc.
8315 Lee Hwy, Suite 303
Fairfax, VA, 22031
PH: (703) 752-5831
FX: (703) 752-5851
prev parent reply other threads:[~2009-02-17 18:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-12 17:01 Remote audit clients on RHEL 5.2 Dan Gruhn
2009-02-12 17:43 ` Steve Grubb
2009-02-12 17:48 ` Dan Gruhn
2009-02-13 20:11 ` Central Audit Server with Prelude and Prewikka - RHEL5 Dan Gruhn
2009-02-13 20:27 ` Steve Grubb
2009-02-13 21:45 ` Dan Gruhn
[not found] ` <200902121338.50329.sgrubb@redhat.com>
2009-02-17 18:43 ` Dan Gruhn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499B053C.3050209@groupw.com \
--to=dan.gruhn@groupw.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.