Starting stunnel from xinetd

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian Pilcher wrote:
> Daniel J Walsh wrote:
>> Confined apps writing to /etc is frowned upon. /etc/ should be
>> considered R/O.  If you move this file to /var/run/stunnel and change
>> the config, it should work.
> 
> Nope.
> 
> type=AVC msg=audit(1205188277.824:2538): avc:  denied  { getattr } for
> pid=1696 comm="stunnel" path="/var/run/stunnel/random_seed" dev=md1
> ino=36907 scontext=unconfined_u:system_r:stunnel_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
> 
> (And shouldn't it really go under /var/lib/stunnel, since it's
> supposed to survive a reboot?)
> 
>> You have to define ports that stunnel can listen to.
>>
>> semanage port -a -t stunnel_port_t -P tcp 2873
> 
> OK, that got me past the bind denial.  Unfortunately, it looks like
> stunnel isn't allowed to access /usr/bin, so it can't start the rsync
> daemon:
> 
> type=AVC msg=audit(1205188277.890:2539): avc:  denied  { search } for
> pid=1698 comm="stunnel" name="bin" dev=md1 ino=2686986
> scontext=unconfined_u:system_r:stunnel_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:bin_t:s0 tclass=dir
> 
> Thanks!
> 
Ok, I have been avoiding this.  I have never used stunnel.  Is it common
for stunnel to start the application that is going to run within the
tunnel?  Or do you just setup the tunnel and the user then runs tools
like rsync or telnet?

So do we need a rsync_domtrans(stunnel_t) to start the rsync server or
does it just need to execute the client?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkff08IACgkQrlYvE4MpobNrjgCguH2v2eUJSLRNXakAF0YDTkcR
JhoAn2frfnkfNq1FMOHvi9fEGmoOGO/p
=1wMU
-----END PGP SIGNATURE-----