> ipset isn't part of Fedora, right? Wrong! It is distributed as rpm in the Fedora Fusion (Free) repo (3 rpms in fact: kmod-xtables-addons, xtables-addons and one additional package - optional - xtables addons with metadata for kernel). > You just built and installed it from source? > Please read my initial post - installing the above packages (i.e. the 'standard' distribution) makes NO difference whatsoever - I was getting the same alerts regardless of whether I compile and install from source or use the 'standard' distribution packages. > I think it might be easiest to just label it the same as iptables and > then shorewall will transition to iptables_t which already has raw IP > socket access as well as other related permissions. That will be better > too in that you don't need to directly allow shorewall or anything else > it runs in-domain to have those permissions. > > semanage fcontext -a -t iptables_exec_t /path/to/ipset > restorecon -v /path/to/ipset > An elegant solution ... but unfortunately it does NOT work - I am getting the same alerts again. The problem (as evident from my initial post on this thread) is that the shorewall init file (normally based in /etc/shorewall/init) executes ipset, which in turn, as you pointed out above, tries to open a raw socket. I am in no way SELinux expert, but I would assume that the security context in which this executes is shorewall and not the one set in ipset. Anyway, the solution presented by Dominic above works very well, so I may stick with it. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
