We need to review the audit labels and permissions given to all applications. The following explains the audit systems privileges: 1) CAP_AUDIT_CONTROL - set loginuid, write/delete audit rules 2) CAP_AUDIT_WRITE - write event to netlink socket 3) NETLINK_AUDIT_SOCKET__NLMSG_WRITE - set an audit configuration parameter 4) NETLINK_AUDIT_SOCKET__NLMSG_READ - read an audit configuration parameter 5) NETLINK_AUDIT_SOCKET__NLMSG_RELAY - send an audit event through the kernel to audit daemon 6) NETLINK_AUDIT_SOCKET__NLMSG_READPRIV - list audit rules A program that simply logs audit events (nscd, passwd) should have 2 & 5 An entry point daemon (login, cron) should have 1, 2, & 5 Auditctl should have 1, 2, 3, 4, 5, & 6 Auditd should have 1, 2, 3, & 4 Version-Release number of selected component (if applicable): selinux-policy-2.4.6-67.el5
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Fixed in selinux-policy-2.4.6-69
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html