Confining stunnel started from init script

[Paul Howarth]

On Fri, 03 Jul 2009 01:21:16 -0500
Allen Kistler <an037-ooai8 at yahoo.com> wrote:

> Since F7, I've started stunnel as a daemon from an init script.  In
> F11, I'm confining it using SELinux, instead of just letting it run
> as initrc_t.  However, I've got two questions.
> 
> First:
> I think at some point, it might be worth submitting what I've done as
> an enhancement, minor though it may be, to stunnel.  In my case, I
> use stunnel to establish an SSL tunnel to my ISP's smtps port from
> sendmail. Since I bind stunnel locally to tcp/465, I can't define
> stunnel_port_t (the pre-existing label for whatever port the end user
> chooses to use) as tcp/465 because tcp/465 is already labeled as
> smtp_port_t.  What I've done is:
> 
> bool stunnel_can_sendmail false;
> 
> if (stunnel_can_sendmail) {
>    allow stunnel_t smtp_port_t : tcp_socket name_bind;
> };
> 
> Does this seem the most reasonable way to do things with ports
> already labeled?  For a more general policy, that would mean a
> Boolean for every port label.  Hmm....

This looks like exactly the right thing to me.

> Second:
> What's the syntax in the TE file to get descriptive text attached to
> a Boolean declaration?  Right now I get:
> 
> # semanage boolean -l | grep stunnel_can_sendmail
> stunnel_can_sendmail -> on    stunnel_can_sendmail
> 
> But I'd prefer something more informative and cosmetically pleasing
> like:
> 
> # semanage boolean -l | grep xen_use_nfs
> xen_use_nfs          -> off   Allow xen to manage nfs files
> 
> Thanks for any info and assistance.

## <desc>
## <p>
## Allow samba to export NFS volumes.
## </p>
## </desc>
gen_tunable(samba_share_nfs, false)

Paul.