search for: net_raw

...############################## # Declarations type rawsox_t; type rawsox_exec_t; domain_type(rawsox_t) domain_entry_file(rawsox_t, rawsox_exec_t) domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t) ######################################## # Rawsox local policy # these two didn't help #corenet_raw_sendrecv_all_if( rawsox_t ); #corenet_raw_sendrecv_all_nodes( rawsox_t ); require { type lib_t; type ld_so_t; type ld_so_cache_t; type usr_t; type devpts_t; type rawsox_t; type etc_t; class lnk_file read; class dir search;...

...e file, I have a warning saying that the rules already exists! Which does make sense since I had to allow those particular function for the Mysql connection to function properly. --------------- .te file : "module fping-httpd 1.0; require { type httpd_t; class capability net_raw; class rawip_socket create; } #============= httpd_t ============== #!!!! This avc is allowed in the current policy allow httpd_t self:capability net_raw; allow httpd_t self:rawip_socket create; " --------------- Is the "Missing type enforcement" related to all of this? I...

...t; >> domain_type(rawsox_t) >> domain_entry_file(rawsox_t, rawsox_exec_t) >> domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t) >> >> ######################################## >> # Rawsox local policy >> >> # these two didn't help >> #corenet_raw_sendrecv_all_if( rawsox_t ); >> #corenet_raw_sendrecv_all_nodes( rawsox_t ); >> >> require { >> type lib_t; >> type ld_so_t; >> type ld_so_cache_t; >> type usr_t; >> type devpts_t; >> type rawsox_t; >>...

I am seeing these in the log of one of our off-site NX hosts running CentOS-6.6. type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket Was caused by: Missing type enforcement (TE) allow rule. You can use

...We eventually ended up with a custom policy that looks like this: #============= fail2ban_t ============== allow fail2ban_t ldconfig_exec_t:file { read execute open getattr execute_no_trans }; allow fail2ban_t insmod_exec_t:file { read execute open }; allow fail2ban_t self:capability { net_admin net_raw }; allow fail2ban_t self:rawip_socket { getopt create setopt }; allow fail2ban_t sysctl_kernel_t:dir search; allow fail2ban_t sysctl_modprobe_t:file read; allow system_mail_t inotifyfs_t:dir read; I am not sure whether this issue is the result of something that we have done or left undone. We h...