OSSEC is my favourite linux HIDS however now that I'm running a SELINUX secured web server I noticed that my active responses were not working after a reboot.
After enabling SELINUX, I started getting alerts about the following problem in my messages file....
Nov 11 12:16:22 amy kernel: type=1400 audit(1289477782.569:8): avc: denied { read write } for pid=2551 comm="iptables" path="socket:[5261]" dev=sockfs ino=5261 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket
This appears to be ossec trying to update iptables, but failing as they're in different contexts... now I'm no selinx expert but this CentOS Wiki Page helped... run the following command which will create osseciptables.pp in the current directtory...
root@amy# grep iptable /var/log/messages | audit2allow -M osseciptables
This creates a new binary module that can be installed with....
/usr/sbin/semodule -i osseciptables.pp
You can view current selinux modules with ...
/usr/sbin/semodule -l
If you want to see what is being created by audit to allow, try the following...
root@amy# grep iptable /var/log/messages | audit2allow -m osseciptables
module osseciptables 1.0;
require {
type iptables_t;
type initrc_t;
class unix_dgram_socket { read write };
}
#============= iptables_t ==============
allow iptables_t initrc_t:unix_dgram_socket { read write };
root@amy#
I hope this helps some future googler!