> -----Original Message----- > From: grift [mailto:dominick.grift@xxxxxxxxx] > Sent: 18 December 2012 17:01 > > On Tue, 2012-12-18 at 17:49 +0100, grift wrote: > > On Tue, 2012-12-18 at 16:37 +0000, Moray Henderson wrote: > > > Hi SELinux > > > > > mkdir myapcupsd; cd myapcupsd; echo "policy_module(myapcupsd, 1.0.0) > > gen_require(\` type apcupsd_t; ') > > corenet_udp_bind_generic_node(apcupsd_t) > > corenet_udp_bind_snmp_port(apcupsd_t) allow apcupsd_t self:capability > > net_bind_service;" > myapcupsd.te > > > > make -f /usr/share/selinux/devel/Makefile myapcupsd.te sudo semodule > > -i myapcupsd.pp; > > > > consider filing a bugzilla please > > I am adding this upstream (should eventually trickle down): > > > From 87e5d6d571cb82c3a96159041962c2a9378bc023 Tue, 18 Dec 2012 > > 17:59:34 +0100 > > From: Dominick Grift <dominick.grift@xxxxxxxxx> > > Date: Tue, 18 Dec 2012 17:59:18 +0100 > > Subject: [PATCH] Changes to the apcupsd policy module > > > > > > Support apcupsd configured for snmp > > > > Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxx> diff --git > > a/apcupsd.te b/apcupsd.te index ceb368d..9cd93c5 100644 > > --- a/apcupsd.te > > +++ b/apcupsd.te > > @@ -1,4 +1,4 @@ > > -policy_module(apcupsd, 1.8.3) > > +policy_module(apcupsd, 1.8.4) > > > > ######################################## > > # > > @@ -29,7 +29,7 @@ > > # Local policy > > # > > > > -allow apcupsd_t self:capability { dac_override setgid sys_tty_config > > }; > > +allow apcupsd_t self:capability { dac_override setgid sys_tty_config > > +net_bind_service }; > > allow apcupsd_t self:process signal; > > allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t > > self:unix_stream_socket create_stream_socket_perms; @@ -58,13 +58,20 > > @@ > > corenet_all_recvfrom_netlabel(apcupsd_t) > > corenet_tcp_sendrecv_generic_if(apcupsd_t) > > corenet_tcp_sendrecv_generic_node(apcupsd_t) > > -corenet_tcp_sendrecv_all_ports(apcupsd_t) > > corenet_tcp_bind_generic_node(apcupsd_t) > > +corenet_udp_sendrecv_generic_if(apcupsd_t) > > +corenet_udp_sendrecv_generic_node(apcupsd_t) > > +corenet_udp_bind_generic_node(apcupsd_t) > > > > corenet_tcp_bind_apcupsd_port(apcupsd_t) > > corenet_sendrecv_apcupsd_server_packets(apcupsd_t) > > +corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) > > corenet_tcp_connect_apcupsd_port(apcupsd_t) > > > > +corenet_udp_bind_snmp_port(apcupsd_t) > > +corenet_sendrecv_snmp_server_packets(apcupsd_t) > > +corenet_udp_sendrecv_snmp_port(apcupsd_t) > > + > > dev_rw_generic_usb_dev(apcupsd_t) > > > > files_read_etc_files(apcupsd_t) Excellent - thanks. It looks as if corenet_udp_bind_snmp_port already allows the capability net_bind_service. Do you still want an RHEL 6 bug logged? Moray. “To err is human; to purr, feline.” -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux