Selinux in FC4 is blocking SCTP [PATCH RFC]

Stephen Smalley sds at
Fri Sep 30 15:13:38 UTC 2005

On Fri, 2005-09-30 at 02:49 -0400, James Morris wrote:
> Please review the following patch.
> It changes the SELinux IP socket classification logic, which is currently 
> broken (well, out of date), so that an IPPROTO_IP protocol value passed to 
> socket(2) classify the socket as TCP or UDP.  Currently, a SOCK_STREAM 
> with a protocol of IPPROTO_ARBITRARY will default to SECCLASS_TCP_SOCKET.  
> With this patch, it will instead default to SECCLASS_RAWIP_SOCKET, the 
> generic IP socket class.
> The patch also drops the check for SOCK_RAW and converts it into a 
> default, so that socket types like SOCK_DCCP and SOCK_SEQPACKET are 
> classified as SECCLASS_RAWIP_SOCKET (instead of generic sockets).
> This now causes all SCTP sockets to be classified as 
> This patch also unifies the way IP sockets classes are determined in 
> selinux_socket_bind(), so we use the already calculated value instead of 
> trying to recalculate it (which can lead to inconsistencies).
> To get SCTP working now in targeted policy,  permissions for the 
> rawip_socket classs need to be added to unconfined_domain:
> avc:  denied  { name_bind } for  pid=16484 comm="lt-sctp_test" src=3339 
> scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t 
> tclass=rawip_socket
> (that should be it, I think).
> Comments?
> ---
>  security/selinux/hooks.c |   30 ++++++++++++++++++++++++------
>  1 files changed, 24 insertions(+), 6 deletions(-)

Looks good.

Signed-off-by:  Stephen Smalley <sds at>

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list