Christopher J. PeBenito wrote:
> On Thu, 2007-03-08 at 09:28 -0500, Daniel J Walsh wrote:
>
> This seems to have rules similar to iptables:
>
>   
>> +allow fail2ban_t self : capability { net_admin net_raw };
>> +allow fail2ban_t self : rawip_socket { getopt create setopt };
>>     
>
>   
> But also transitions to iptables?
>
>   
Yes remove these
>> +optional_policy(`
>> +       iptables_domtrans(fail2ban_t)
>> +')
>>     
>
> This also seems out of place:
>
>   
>> +selinux_get_fs_mount(fail2ban_t)
>>     
>
>   
Not sure, but retesting now it did not complain so remove.

Also seems to need

kernel_read_system_state(fail2ban_t)