On Wednesday 07 November 2007 09:29, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > Russell Coker wrote: > > http://etbe.coker.com.au/2007/11/06/squid-and-se-linux/ > > > > As described in the above URL I believe that port 11371 (for GPG key > > transfer) needs to be labelled as http_port_t to permit GPG to use Squid. > > Why not just create a new type for this port > > network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) > > Then give connect access to apache and squid. A quick probe of some servers revealed that three of them didn't completely implement the HTTP protocol (IE they weren't proper web servers) and a fourth was running pks_www (which apparently is a stand-alone daemon not typically run from a web server). So it seems that it's not web servers used for this and therefore a new port type is justified. Policy for a key server daemon would be good too, I'll write it if I get some spare time. -- russell@xxxxxxxxxxxx http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
