Selinux in FC4 is blocking SCTP

James Morris jmorris at
Fri Sep 30 06:51:31 UTC 2005

On Fri, 30 Sep 2005, Gregory Maxwell wrote:

> > We proably need to rethink the way IP sockets default to 'raw', as new IP
> > protocols are sometimes developed (DCCP has just been implemented) and we
> > don't know that the 'raw' IP controls always appropriate.
> In many cases the use of new protocols is so special use that it
> wouldn't hurt to give apps raw until better support is added. For
> example, a routing daemon speaking OSPF.

Agreed.  All of the checks for 'raw' sockets are at the IP level, so 
hopefully nothing will break.

> SCTP obviously will need full support, since it will eventually be
> used as a general purpose transport in many applications and may
> eventually supplant TCP and UDP in some places.  It would be nice if
> SElinux could step up to controlling the ability to control all
> address bindings (i.e. application X can only form connections on the
> secure network), but since they can be added and removed on an active
> connection that might be interesting.
> Is there currently the ability to control IPSec behavior from SElinux
> (i.e. application X can only use TCP across an encrypted link), if so
> that might provide some guidance in how to make some of the extra sctp
> knobs look..

There's some work heading upstream integrating SELinux and IPSec, check 
the recent netdev archives.

- James
James Morris
<jmorris at>

More information about the fedora-selinux-list mailing list