From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Gruhn Subject: Re: Remote audit clients on RHEL 5.2 Date: Tue, 17 Feb 2009 13:43:08 -0500 Message-ID: <499B053C.3050209@groupw.com> References: <499455ED.3060208@groupw.com> <200902121243.03741.sgrubb@redhat.com> <499460FF.3050400@groupw.com> <200902121338.50329.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1HIhKgT001553 for ; Tue, 17 Feb 2009 13:43:20 -0500 Received: from smtp.group-w-inc.com (group-w-inc.com [70.164.45.3]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1HIh9gn007529 for ; Tue, 17 Feb 2009 13:43:09 -0500 Received: from smtp.group-w-inc.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id C7D3EDA009F for ; Tue, 17 Feb 2009 13:43:08 -0500 (EST) Received: from [10.1.1.218] (dgruhn-f9.group-w-inc.com [10.1.1.218]) by smtp.group-w-inc.com (Postfix) with ESMTP id 9252ADA0094 for ; Tue, 17 Feb 2009 13:43:08 -0500 (EST) In-Reply-To: <200902121338.50329.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com I talked with the folks on the fedora-selinux-list and here is the result of that discussion: The text file (auditd.te) for the proper SELinux policy module is as follows: ----------- module auditd 0.0.3; require { class tcp_socket accept; type auditd_t; attribute reserved_port_type; class tcp_socket { name_bind }; } type audit_port_t; typeattribute audit_port_t reserved_port_type; allow auditd_t audit_port_t:tcp_socket { name_bind }; allow auditd_t self:tcp_socket accept; --------------- Once you have the auditd.te file, you can compile it and check it for any errors: checkmodule -M -m -o auditd.mod auditd.te If you have no errors, you can then package the .mod file: semodule_package -o auditd.pp -m auditd.pp After packaging, insert it into SELinux: semodule -i auditd.pp You should now be able to find the policy module using the system-config-selinux GUI. After all of that, the port can be enable under SELinux as per the RHEL 5.3 release notes: semanage port -a -t audit_port_t -p tcp 60 My systems are now running clean. Thanks for the help. Dan Steve Grubb wrote: > On Thursday 12 February 2009 12:48:47 pm Dan Gruhn wrote: > >> My system is a stand-alone in a secure environment so I can't just run a >> piece of software and get an update, and it is currently locked into 5.2 >> as we're working to get it approved by various powers. Is there any way >> to get the SE Linux policy from the 5.3 update as a separate piece? >> > > I was hoping Dan Walsh would answer...its possible, but I don't know if the > selinux people pull it with a bunch of other changes into the reference > policy or not. You might be able to just get the 5.3 policy and look for the > audit files and transplant them into 5.2 policy and diff against original 52 > policy to make a patch. You might need to ask on the Fedora-selinux mail list > or the NSA selinux policy mail list if no one answers soon. > > -Steve > -- Dan Gruhn Group W Inc. 8315 Lee Hwy, Suite 303 Fairfax, VA, 22031 PH: (703) 752-5831 FX: (703) 752-5851