Confining stunnel started from init script
Paul Howarth
paul at city-fan.org
Fri Jul 3 06:43:06 UTC 2009
On Fri, 03 Jul 2009 01:21:16 -0500
Allen Kistler <an037-ooai8 at yahoo.com> wrote:
> Since F7, I've started stunnel as a daemon from an init script. In
> F11, I'm confining it using SELinux, instead of just letting it run
> as initrc_t. However, I've got two questions.
>
> First:
> I think at some point, it might be worth submitting what I've done as
> an enhancement, minor though it may be, to stunnel. In my case, I
> use stunnel to establish an SSL tunnel to my ISP's smtps port from
> sendmail. Since I bind stunnel locally to tcp/465, I can't define
> stunnel_port_t (the pre-existing label for whatever port the end user
> chooses to use) as tcp/465 because tcp/465 is already labeled as
> smtp_port_t. What I've done is:
>
> bool stunnel_can_sendmail false;
>
> if (stunnel_can_sendmail) {
> allow stunnel_t smtp_port_t : tcp_socket name_bind;
> };
>
> Does this seem the most reasonable way to do things with ports
> already labeled? For a more general policy, that would mean a
> Boolean for every port label. Hmm....
This looks like exactly the right thing to me.
> Second:
> What's the syntax in the TE file to get descriptive text attached to
> a Boolean declaration? Right now I get:
>
> # semanage boolean -l | grep stunnel_can_sendmail
> stunnel_can_sendmail -> on stunnel_can_sendmail
>
> But I'd prefer something more informative and cosmetically pleasing
> like:
>
> # semanage boolean -l | grep xen_use_nfs
> xen_use_nfs -> off Allow xen to manage nfs files
>
> Thanks for any info and assistance.
## <desc>
## <p>
## Allow samba to export NFS volumes.
## </p>
## </desc>
gen_tunable(samba_share_nfs, false)
Paul.
More information about the fedora-selinux-list
mailing list