On 05/25/2009 09:01 AM, Nigel Rumens wrote:
Thanks. I will do just that.
In the meantime though would it be possible to create a local policy
module to allow this access? (with audit2allow?) Maybe even limiting it
to just a particular set of processes by creating a new label and
labeling the relevant executables?
Feel free to call me an idiot if you think I am being one. I am pretty
new to selinux.
On 05/25/2009 12:16 PM, Daniel J Walsh wrote:
On 05/24/2009 06:00 AM, Nigel Rumens wrote:
Hi,
Does selinux understand sctp?
When I run (for example)
sctp_darn -H 0 -P 9876 -l
It results in an avc denial message which tells me the target object is
of type None[rawip_socket]
Also semanage port -l shows only udp and tcp
Machine tested on was F11 (fully updated) - I also tried it F10 with the
same results
Thanks
wooky
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well it treats it as a rawip, I am not that familiar with the sctp
protocol, if you believe we should do more to handle it you probably
need to discuss with the SELinux developers on the SELinux developers
mail list
selinux@xxxxxxxxxxxxx
http://www.nsa.gov/research/selinux/subscribe.shtml
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
with
the words "unsubscribe selinux" without quotes as the message.
Yes you can develop a policy for this tool using rawip sockets. You use
either slide or system-config-selinux/polgengui to build a policy for
it. With SELinux you can write policy for just about any process on the
system. The real problem is whether or not you can define your security
goals, and whether or not the security goals make your system more
secure. Writing policy for emacs and saying it has to be able to
read/write every file on the system, does not make sense to me. Since
the security goal is too broad.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
