From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Remote audit clients on RHEL 5.2 Date: Thu, 12 Feb 2009 12:43:03 -0500 Message-ID: <200902121243.03741.sgrubb@redhat.com> References: <499455ED.3060208@groupw.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <499455ED.3060208@groupw.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 12 February 2009 12:01:33 pm Dan Gruhn wrote: > I'm not much of a wiz at selinux, but I can tell that the audit_port_t = type > doesn't exist.=C2=A0 I'm stuck here because: > > 1) I don;t know how to create new types in selinux > 2) Even if I figured that out, I don't know how auditd would know to u= se > that. > > I've looked at the auditd executable, it has types like this: > -rwxr-x---=C2=A0 root root system_u:object_r:auditd_exec_t=C2=A0 /sbin= /auditd > > Could someone give me some pointers and/or point me to something I cou= ld > read to get me going? You need to be using the SE Linux policy from the 5.3 update. Before 5.3,= =20 auditd never had a listening port and therefore selinux policy prior to i= t=20 wouldn't have setup that type. I also think SE Linux policy may default t= o=20 port 60 even though that port may not be guaranteed in the future. Another thing that you should do on this is to setup the client's localpo= rt to=20 bind to a port below 1024 and then set the server's tcp_client_ports to c= heck=20 that the ports are bound to that range as a security precaution. -Steve