On 8/25/2014 10:57 AM, Stepan G. Fedorov wrote: > >> ...but the new network permission checks will not be applied >> until/unless you configure secmark or labeled networking. Or set the >> always_check_network policy capability to 1 for secmark, if your kernel >> supports that. > > Seems I have no such capability. My /sys/fs/selinux/policy_capabilities/ > contains only two files: > network_peer_controls > open_perms That directory only lists the capabilities that are enabled in the loaded policy. You need at least a 3.13 kernel and the capability declared in the policy (in the base module, base.pp). Distributions will likely never ship with that capability enabled, as it requires packet (SECMARK) and peer rules throughout the policy. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
