RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 828495 - RFE: semanage port generates an audit message when modifying the policy configuration
Summary: RFE: semanage port generates an audit message when modifying the policy confi...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit
Version: 7.0
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 829175
TreeView+ depends on / blocked
 
Reported: 2012-06-04 19:35 UTC by Milos Malik
Modified: 2014-06-18 04:13 UTC (History)
2 users (show)

Fixed In Version: audit-2.3.2-3.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
: 829175 (view as bug list)
Environment:
Last Closed: 2014-06-13 11:02:45 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Milos Malik 2012-06-04 19:35:58 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
policycoreutils-2.1.11-18.el7.x86_64
policycoreutils-newrole-2.1.11-18.el7.x86_64
policycoreutils-python-2.1.11-18.el7.x86_64

How reproducible:
always

Steps to Reproduce:
# semanage port -l | grep zope_port_t
zope_port_t                    tcp      8021
# semanage port -a -t zope_port_t -p tcp 8877
# semanage port -l | grep zope_port_t
zope_port_t                    tcp      8877, 8021
# ausearch -x semanage
<no matches>
#
  
Actual results:
* no audit messages are generated

Expected results:
* proper audit messages are generated
Comment 1 Daniel Walsh 2012-06-04 20:03:40 UTC 
Not sure if this is an auditable event.
Comment 2 Steve Grubb 2012-06-05 11:54:56 UTC 
Any change to the MAC policy such as changing booleans values, changing labels to ports or files, or enforcement of policy should be audited. Basically, if it affects enforcement, we need it. If there is a value to the setting, we need the previous and the new value. I think we are currently using AUDIT_MAC_CONFIG_CHANGE for the event type, which is a kernel event.
Comment 3 Milos Malik 2012-06-06 07:16:01 UTC 
semanage fcontext should also generate some kind of audit message.
semanage module generates audit message of MAC_POLICY_LOAD type, but it's not clear which module was enabled or disabled.
Comment 4 Daniel Walsh 2012-06-07 18:34:13 UTC 
The semanage now has AUDIT_ROLE_ASSIGN and AUDIT_ROLE_REMOVE, these definitions have nothing to do with these changes.

If we want to audit other definitions within semanage it would seem that we need new AUDIT records.  Not really sure if we can catch all the data here.  Since loading a kernel module can make similar changes.  Running something that changes the label on an object would be audited if someone was watching.
Comment 5 Daniel Walsh 2012-09-17 18:18:28 UTC 
The problem with this, is we also do not audit chcon commands, which can be used to modify the label on a file.

I still have no information on what AUDIT Message should be sent on these changes.
Comment 6 Daniel Walsh 2012-10-16 17:27:26 UTC 
If you want audit messages particular to ports or other stuff within semanage, we need either new audit message types or someone to define which type I should use.
Comment 7 Steve Grubb 2013-10-02 16:10:55 UTC 
AUDIT_USER_MAC_CONFIG_CHANGE event identifier added upstream. It can be added to packages like this:

#ifndef AUDIT_USER_MAC_CONFIG_CHANGE
#define AUDIT_USER_MAC_CONFIG_CHANGE 2312
#endif

But I will be updating the audit package with this change.
Comment 9 Steve Grubb 2013-10-03 13:26:03 UTC 
audit-2.3.2-3.el7 added the new identifier.
Comment 14 Ludek Smid 2014-06-13 11:02:45 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.