From: Daniel J Walsh <dwalsh@redhat.com>
To: Nigel Rumens <wooky@btconnect.com>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: selinux and sctp
Date: Tue, 26 May 2009 07:38:17 -0400 [thread overview]
Message-ID: <4A1BD4A9.9010608@redhat.com> (raw)
In-Reply-To: <4A1A96BD.5050500@btconnect.com>
On 05/25/2009 09:01 AM, Nigel Rumens wrote:
> Thanks. I will do just that.
>
> In the meantime though would it be possible to create a local policy
> module to allow this access? (with audit2allow?) Maybe even limiting it
> to just a particular set of processes by creating a new label and
> labeling the relevant executables?
>
> Feel free to call me an idiot if you think I am being one. I am pretty
> new to selinux.
>
> On 05/25/2009 12:16 PM, Daniel J Walsh wrote:
>> On 05/24/2009 06:00 AM, Nigel Rumens wrote:
>>> Hi,
>>>
>>> Does selinux understand sctp?
>>>
>>> When I run (for example)
>>>
>>> sctp_darn -H 0 -P 9876 -l
>>>
>>> It results in an avc denial message which tells me the target object is
>>> of type None[rawip_socket]
>>>
>>> Also semanage port -l shows only udp and tcp
>>>
>>> Machine tested on was F11 (fully updated) - I also tried it F10 with the
>>> same results
>>>
>>> Thanks
>>> wooky
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Well it treats it as a rawip, I am not that familiar with the sctp
>> protocol, if you believe we should do more to handle it you probably
>> need to discuss with the SELinux developers on the SELinux developers
>> mail list
>>
>> selinux@tycho.nsa.gov
>>
>> http://www.nsa.gov/research/selinux/subscribe.shtml
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
Yes you can develop a policy for this tool using rawip sockets. You use
either slide or system-config-selinux/polgengui to build a policy for
it. With SELinux you can write policy for just about any process on the
system. The real problem is whether or not you can define your security
goals, and whether or not the security goals make your system more
secure. Writing policy for emacs and saying it has to be able to
read/write every file on the system, does not make sense to me. Since
the security goal is too broad.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-05-26 11:39 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4A191AAC.4000500@btconnect.com>
2009-05-25 11:16 ` selinux and sctp Daniel J Walsh
2009-05-25 13:01 ` Nigel Rumens
2009-05-26 0:18 ` Mark Webb
2009-05-27 16:25 ` Nigel Rumens
2009-05-26 11:38 ` Daniel J Walsh [this message]
2009-05-26 14:40 ` Stephen Smalley
2009-05-26 22:32 ` Paul Moore
2009-05-27 12:12 ` Stephen Smalley
2009-05-27 13:36 ` James Morris
2009-05-27 16:39 ` Nigel Rumens
2009-05-27 19:36 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A1BD4A9.9010608@redhat.com \
--to=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
--cc=wooky@btconnect.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.