FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-16-2009, 03:12 PM
Dan Gruhn
 
Default Auditd port 60 access in RHEL 5.2

Greetings,

I am posting here a the suggestion of Steve Grubb from the linux-audit
list. My apology for being on a Fedora list with a RHEL question but
hopefully the reasoning will be apparent.


I have a 64 bit RHEL 5.2 system that I have built and installed all of
the necessary packages for the latest audit (1.7.11-1), prelude and
prewikka. (I'd rather use Fedora, but the security people are more
comfortable with RHEL). This all seems to be working fine on the
central cluster server and now I'm trying to set up clients in the
cluster nodes to report their audit information to the server. I've
found the RHEL 5.3 release notes where it says:



...

Because the auditd daemon is protected by SELinux, semanage (the
SELinux policy management tool) must also have the same port listed
in its database. If the server and client machines had all been
configured to use port 60 for example, then running this command
would accomplish this:


semanage port -a -t audit_port_t -p tcp 60

...


I'm trying to run the semanage command to let selinux know that port 60
is acceptable for audit to use but I get the following error message
when I run the command:


# semanage port -a -t audit_port_t -p tcp 60
libsepol.context_from_record: type audit_port_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.port_from_record: could not create port structure for range
60:60 (tcp)
libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp)
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy
/usr/sbin/semanage: Could not add port tcp/60

I'm not much of a wiz at selinux, but I can tell that the audit_port_t
type doesn't exist. I'm stuck here because:


1) I don't know how to create new types in selinux
2) Even if I figured that out, I don't know how auditd would know to use
that.


I've looked at the auditd executable, it has types like this:
-rwxr-x--- root root system_ubject_r:auditd_exec_t /sbin/auditd

In talking with Steve I was hoping to somehow get the SELinux policy
piece for auditd from 5.3 the add into the latest audit that I have
compiled. He suggested that:


You need to be using the SE Linux policy from the 5.3 update. Before 5.3, auditd never had a listening port and therefore selinux policy prior to it wouldn't have setup that type. I also think SE Linux policy may default to port 60 even though that port may not be guaranteed in the future.



I told Steve that the system is a stand-alone in a secure environment
and it is currently locked into 5.2 as we're working to get it approved
by various powers. When I asked if there any way to get the SE Linux
policy from the 5.3 update as a separate piece he replied:


I was hoping Dan Walsh would answer...its possible, but I don't know if the selinux people pull it with a bunch of other changes into the reference policy or not. You might be able to just get the 5.3 policy and look for the audit files and transplant them into 5.2 policy and diff against original 52 policy to make a patch. You might need to ask on the Fedora-selinux mail list or the NSA selinux policy mail list if no one answers soon.



Could someone give me some pointers and/or point me to something I could
read to get me going? I have the 5.3 audit RPMs, but can't seem to find
the right pieces.


Thanks,

Dan

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-16-2009, 05:10 PM
Dominick Grift
 
Default Auditd port 60 access in RHEL 5.2

On Mon, 2009-02-16 at 11:12 -0500, Dan Gruhn wrote:

>
> Could someone give me some pointers and/or point me to something I could
> read to get me going? I have the 5.3 audit RPMs, but can't seem to find
> the right pieces.

The port type is declared in "/policy/modules/kernel/corenetwork.te.in":

network_port(audit, tcp,60,s0)

The policy for how auditd interacts with this port is in
"/policy/modules/system/logging.te":

corenet_tcp_bind_audit_port(auditd_t)
corenet_sendrecv_audit_server_packets(auditd_t)

Both the corenetwork and logging policy are part of the base module.

One could create a custom module to make this work:

mkdir ~/myauditd; cd ~/myauditd;
echo "policy_module(myauditd, 0.0.1)" > myauditd.te;
echo "require { type auditd_t; }" >> myauditd.te;
echo "type audit_port_t;" >> myauditd.te;
echo "corenet_reserved_port(audit_port_t)" >> myauditd.te;
echo "allow auditd_t audit_port_t:tcp_socket { name_bind };" >>
myauditd.te;

(sudo yum install selinux-policy-devel)

make -f /usr/share/selinux/devel/Makefile

sudo /usr/sbin/semodule -i myauditd.pp
sudo /usr/sbin/semanage port -a audit_port_t -p tcp 60

Disclaimer this example may have errors or may be incomplete. Use it at
your own risk.

auditd_t probably needs more permission to interact with audit_port_t
(connect, send receive packets etc), however one can use audit2allow to
"extend" policy.

hth, Dominick

> Thanks,
>
> Dan
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-16-2009, 05:36 PM
Daniel J Walsh
 
Default Auditd port 60 access in RHEL 5.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Gruhn wrote:
> Greetings,
>
> I am posting here a the suggestion of Steve Grubb from the linux-audit
> list. My apology for being on a Fedora list with a RHEL question but
> hopefully the reasoning will be apparent.
>
> I have a 64 bit RHEL 5.2 system that I have built and installed all of
> the necessary packages for the latest audit (1.7.11-1), prelude and
> prewikka. (I'd rather use Fedora, but the security people are more
> comfortable with RHEL). This all seems to be working fine on the
> central cluster server and now I'm trying to set up clients in the
> cluster nodes to report their audit information to the server. I've
> found the RHEL 5.3 release notes where it says:
>
>
> ...
>
> Because the auditd daemon is protected by SELinux, semanage (the
> SELinux policy management tool) must also have the same port listed
> in its database. If the server and client machines had all been
> configured to use port 60 for example, then running this command
> would accomplish this:
> semanage port -a -t audit_port_t -p tcp 60
>
> ...
>
>
> I'm trying to run the semanage command to let selinux know that port 60
> is acceptable for audit to use but I get the following error message
> when I run the command:
>
> # semanage port -a -t audit_port_t -p tcp 60
> libsepol.context_from_record: type audit_port_t is not defined
> libsepol.context_from_record: could not create context structure
> libsepol.port_from_record: could not create port structure for range
> 60:60 (tcp)
> libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp)
> libsemanage.dbase_policydb_modify: could not modify record value
> libsemanage.semanage_base_merge_components: could not merge local
> modifications into policy
> /usr/sbin/semanage: Could not add port tcp/60
>
> I'm not much of a wiz at selinux, but I can tell that the audit_port_t
> type doesn't exist. I'm stuck here because:
>
> 1) I don't know how to create new types in selinux
> 2) Even if I figured that out, I don't know how auditd would know to use
> that.
>
> I've looked at the auditd executable, it has types like this:
> -rwxr-x--- root root system_ubject_r:auditd_exec_t /sbin/auditd
>
> In talking with Steve I was hoping to somehow get the SELinux policy
> piece for auditd from 5.3 the add into the latest audit that I have
> compiled. He suggested that:
>
> You need to be using the SE Linux policy from the 5.3 update. Before
> 5.3, auditd never had a listening port and therefore selinux policy
> prior to it wouldn't have setup that type. I also think SE Linux policy
> may default to port 60 even though that port may not be guaranteed in
> the future.
>
>
> I told Steve that the system is a stand-alone in a secure environment
> and it is currently locked into 5.2 as we're working to get it approved
> by various powers. When I asked if there any way to get the SE Linux
> policy from the 5.3 update as a separate piece he replied:
>
> I was hoping Dan Walsh would answer...its possible, but I don't know
> if the selinux people pull it with a bunch of other changes into the
> reference policy or not. You might be able to just get the 5.3 policy
> and look for the audit files and transplant them into 5.2 policy and
> diff against original 52 policy to make a patch. You might need to ask
> on the Fedora-selinux mail list or the NSA selinux policy mail list if
> no one answers soon.
>
>
> Could someone give me some pointers and/or point me to something I could
> read to get me going? I have the 5.3 audit RPMs, but can't seem to find
> the right pieces.
>
> Thanks,
>
> Dan
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please upgrade to the U3 selinux policy. THat is where this is defined
I believe.

yum -y upgrade selinux-policy-targeted
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmZsiQACgkQrlYvE4MpobPlCQCfce7MlhMVWw l6hdb2CLGoYMhI
Qr4AnjDJ33XSU81FYZyc56oEqacTCW/2
=i41/
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-16-2009, 06:12 PM
Dan Gruhn
 
Default Auditd port 60 access in RHEL 5.2

Can I just upgrade selinux-policy-targeted to the U3 version on a 5.2
system? It seems like that might cause some other problems.


Dan
Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Gruhn wrote:


Greetings,

I am posting here a the suggestion of Steve Grubb from the linux-audit
list. My apology for being on a Fedora list with a RHEL question but
hopefully the reasoning will be apparent.

I have a 64 bit RHEL 5.2 system that I have built and installed all of
the necessary packages for the latest audit (1.7.11-1), prelude and
prewikka. (I'd rather use Fedora, but the security people are more
comfortable with RHEL). This all seems to be working fine on the
central cluster server and now I'm trying to set up clients in the
cluster nodes to report their audit information to the server. I've
found the RHEL 5.3 release notes where it says:


...

Because the auditd daemon is protected by SELinux, semanage (the
SELinux policy management tool) must also have the same port listed
in its database. If the server and client machines had all been
configured to use port 60 for example, then running this command
would accomplish this:
semanage port -a -t audit_port_t -p tcp 60

...


I'm trying to run the semanage command to let selinux know that port 60
is acceptable for audit to use but I get the following error message
when I run the command:

# semanage port -a -t audit_port_t -p tcp 60
libsepol.context_from_record: type audit_port_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.port_from_record: could not create port structure for range
60:60 (tcp)
libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp)
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy
/usr/sbin/semanage: Could not add port tcp/60

I'm not much of a wiz at selinux, but I can tell that the audit_port_t
type doesn't exist. I'm stuck here because:

1) I don't know how to create new types in selinux
2) Even if I figured that out, I don't know how auditd would know to use
that.

I've looked at the auditd executable, it has types like this:
-rwxr-x--- root root system_ubject_r:auditd_exec_t /sbin/auditd

In talking with Steve I was hoping to somehow get the SELinux policy
piece for auditd from 5.3 the add into the latest audit that I have
compiled. He suggested that:

You need to be using the SE Linux policy from the 5.3 update. Before
5.3, auditd never had a listening port and therefore selinux policy
prior to it wouldn't have setup that type. I also think SE Linux policy
may default to port 60 even though that port may not be guaranteed in
the future.


I told Steve that the system is a stand-alone in a secure environment

and it is currently locked into 5.2 as we're working to get it approved
by various powers. When I asked if there any way to get the SE Linux
policy from the 5.3 update as a separate piece he replied:

I was hoping Dan Walsh would answer...its possible, but I don't know
if the selinux people pull it with a bunch of other changes into the
reference policy or not. You might be able to just get the 5.3 policy
and look for the audit files and transplant them into 5.2 policy and
diff against original 52 policy to make a patch. You might need to ask
on the Fedora-selinux mail list or the NSA selinux policy mail list if
no one answers soon.


Could someone give me some pointers and/or point me to something I could

read to get me going? I have the 5.3 audit RPMs, but can't seem to find
the right pieces.

Thanks,

Dan

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


Please upgrade to the U3 selinux policy. THat is where this is defined
I believe.

yum -y upgrade selinux-policy-targeted
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmZsiQACgkQrlYvE4MpobPlCQCfce7MlhMVWw l6hdb2CLGoYMhI
Qr4AnjDJ33XSU81FYZyc56oEqacTCW/2
=i41/
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



--
Dan Gruhn
Group W Inc.
8315 Lee Hwy, Suite 303
Fairfax, VA, 22031
PH: (703) 752-5831
FX: (703) 752-5851

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-16-2009, 09:55 PM
Daniel J Walsh
 
Default Auditd port 60 access in RHEL 5.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Gruhn wrote:
> Can I just upgrade selinux-policy-targeted to the U3 version on a 5.2
> system? It seems like that might cause some other problems.
>
> Dan
> Daniel J Walsh wrote:
> Dan Gruhn wrote:
>
>>>> Greetings,
>>>>
>>>> I am posting here a the suggestion of Steve Grubb from the linux-audit
>>>> list. My apology for being on a Fedora list with a RHEL question but
>>>> hopefully the reasoning will be apparent.
>>>>
>>>> I have a 64 bit RHEL 5.2 system that I have built and installed all of
>>>> the necessary packages for the latest audit (1.7.11-1), prelude and
>>>> prewikka. (I'd rather use Fedora, but the security people are more
>>>> comfortable with RHEL). This all seems to be working fine on the
>>>> central cluster server and now I'm trying to set up clients in the
>>>> cluster nodes to report their audit information to the server. I've
>>>> found the RHEL 5.3 release notes where it says:
>>>>
>>>>
>>>> ...
>>>>
>>>> Because the auditd daemon is protected by SELinux, semanage (the
>>>> SELinux policy management tool) must also have the same port listed
>>>> in its database. If the server and client machines had all been
>>>> configured to use port 60 for example, then running this command
>>>> would accomplish this:
>>>> semanage port -a -t audit_port_t -p tcp 60
>>>>
>>>> ...
>>>>
>>>>
>>>> I'm trying to run the semanage command to let selinux know that port 60
>>>> is acceptable for audit to use but I get the following error message
>>>> when I run the command:
>>>>
>>>> # semanage port -a -t audit_port_t -p tcp 60
>>>> libsepol.context_from_record: type audit_port_t is not defined
>>>> libsepol.context_from_record: could not create context structure
>>>> libsepol.port_from_record: could not create port structure for range
>>>> 60:60 (tcp)
>>>> libsepol.sepol_port_modify: could not load port range 60 - 60 (tcp)
>>>> libsemanage.dbase_policydb_modify: could not modify record value
>>>> libsemanage.semanage_base_merge_components: could not merge local
>>>> modifications into policy
>>>> /usr/sbin/semanage: Could not add port tcp/60
>>>>
>>>> I'm not much of a wiz at selinux, but I can tell that the audit_port_t
>>>> type doesn't exist. I'm stuck here because:
>>>>
>>>> 1) I don't know how to create new types in selinux
>>>> 2) Even if I figured that out, I don't know how auditd would know to use
>>>> that.
>>>>
>>>> I've looked at the auditd executable, it has types like this:
>>>> -rwxr-x--- root root system_ubject_r:auditd_exec_t /sbin/auditd
>>>>
>>>> In talking with Steve I was hoping to somehow get the SELinux policy
>>>> piece for auditd from 5.3 the add into the latest audit that I have
>>>> compiled. He suggested that:
>>>>
>>>> You need to be using the SE Linux policy from the 5.3 update. Before
>>>> 5.3, auditd never had a listening port and therefore selinux policy
>>>> prior to it wouldn't have setup that type. I also think SE Linux policy
>>>> may default to port 60 even though that port may not be guaranteed in
>>>> the future.
>>>>
>>>> I told Steve that the system is a stand-alone in a secure
>>>> environment
>>>> and it is currently locked into 5.2 as we're working to get it approved
>>>> by various powers. When I asked if there any way to get the SE Linux
>>>> policy from the 5.3 update as a separate piece he replied:
>>>>
>>>> I was hoping Dan Walsh would answer...its possible, but I don't know
>>>> if the selinux people pull it with a bunch of other changes into the
>>>> reference policy or not. You might be able to just get the 5.3 policy
>>>> and look for the audit files and transplant them into 5.2 policy and
>>>> diff against original 52 policy to make a patch. You might need to ask
>>>> on the Fedora-selinux mail list or the NSA selinux policy mail list if
>>>> no one answers soon.
>>>>
>>>> Could someone give me some pointers and/or point me to something
>>>> I could
>>>> read to get me going? I have the 5.3 audit RPMs, but can't seem to find
>>>> the right pieces.
>>>>
>>>> Thanks,
>>>>
>>>> Dan
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
> Please upgrade to the U3 selinux policy. THat is where this is defined
> I believe.
>
> yum -y upgrade selinux-policy-targeted
>>
- --
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

It should not cause any problems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmZ7tkACgkQrlYvE4MpobNFMgCfWOXmxVyfC0 PxkrCPmVLZf0OS
ZFUAmwXtfVgrprSpIbZLJWIs4133niS7
=xU1a
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org