Selinux in FC4 is blocking SCTP
jmorris at namei.org
Fri Sep 30 06:51:31 UTC 2005
On Fri, 30 Sep 2005, Gregory Maxwell wrote:
> > We proably need to rethink the way IP sockets default to 'raw', as new IP
> > protocols are sometimes developed (DCCP has just been implemented) and we
> > don't know that the 'raw' IP controls always appropriate.
> In many cases the use of new protocols is so special use that it
> wouldn't hurt to give apps raw until better support is added. For
> example, a routing daemon speaking OSPF.
Agreed. All of the checks for 'raw' sockets are at the IP level, so
hopefully nothing will break.
> SCTP obviously will need full support, since it will eventually be
> used as a general purpose transport in many applications and may
> eventually supplant TCP and UDP in some places. It would be nice if
> SElinux could step up to controlling the ability to control all
> address bindings (i.e. application X can only form connections on the
> secure network), but since they can be added and removed on an active
> connection that might be interesting.
> Is there currently the ability to control IPSec behavior from SElinux
> (i.e. application X can only use TCP across an encrypted link), if so
> that might provide some guidance in how to make some of the extra sctp
> knobs look..
There's some work heading upstream integrating SELinux and IPSec, check
the recent netdev archives.
<jmorris at namei.org>
More information about the fedora-selinux-list