You are not an idiot at all. I would like to see the policy posted here and others can work to refine it. You might get a more relaxed policy using audit2allow than you would like, but its certainly a good start. I would suggest using SLIDE from Tresys and develop a policy from scratch to better learn policy development. ...just my 2 cents Mark On Mon, May 25, 2009 at 9:01 AM, Nigel Rumens <wooky@xxxxxxxxxxxxx> wrote: > Thanks. I will do just that. > > In the meantime though would it be possible to create a local policy module > to allow this access? (with audit2allow?) Maybe even limiting it to just a > particular set of processes by creating a new label and labeling the > relevant executables? > > Feel free to call me an idiot if you think I am being one. I am pretty new > to selinux. > > On 05/25/2009 12:16 PM, Daniel J Walsh wrote: >> >> On 05/24/2009 06:00 AM, Nigel Rumens wrote: >>> >>> Hi, >>> >>> Does selinux understand sctp? >>> >>> When I run (for example) >>> >>> sctp_darn -H 0 -P 9876 -l >>> >>> It results in an avc denial message which tells me the target object is >>> of type None[rawip_socket] >>> >>> Also semanage port -l shows only udp and tcp >>> >>> Machine tested on was F11 (fully updated) - I also tried it F10 with the >>> same results >>> >>> Thanks >>> wooky >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> Well it treats it as a rawip, I am not that familiar with the sctp >> protocol, if you believe we should do more to handle it you probably need to >> discuss with the SELinux developers on the SELinux developers mail list >> >> selinux@xxxxxxxxxxxxx >> >> http://www.nsa.gov/research/selinux/subscribe.shtml > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx > with > the words "unsubscribe selinux" without quotes as the message. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
