Confining stunnel started from init script
Paul Howarth
paul at city-fan.org
Mon Jul 6 13:04:29 UTC 2009
On 06/07/09 13:58, Daniel J Walsh wrote:
> On 07/03/2009 02:21 AM, Allen Kistler wrote:
>> Since F7, I've started stunnel as a daemon from an init script. In F11,
>> I'm confining it using SELinux, instead of just letting it run as
>> initrc_t. However, I've got two questions.
>>
>> First:
>> I think at some point, it might be worth submitting what I've done as an
>> enhancement, minor though it may be, to stunnel. In my case, I use
>> stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail.
>> Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t
>> (the pre-existing label for whatever port the end user chooses to use)
>> as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've
>> done is:
>>
>> bool stunnel_can_sendmail false;
>>
>> if (stunnel_can_sendmail) {
>> allow stunnel_t smtp_port_t : tcp_socket name_bind;
>> };
>>
>> Does this seem the most reasonable way to do things with ports already
>> labeled? For a more general policy, that would mean a Boolean for every
>> port label. Hmm....
>>
>> Second:
>> What's the syntax in the TE file to get descriptive text attached to a
>> Boolean declaration? Right now I get:
>>
>> # semanage boolean -l | grep stunnel_can_sendmail
>> stunnel_can_sendmail -> on stunnel_can_sendmail
>>
>> But I'd prefer something more informative and cosmetically pleasing like:
>>
>> # semanage boolean -l | grep xen_use_nfs
>> xen_use_nfs -> off Allow xen to manage nfs files
>>
>> Thanks for any info and assistance.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> If stunnel has to connect to random ports I would prefer you just allow
> it to connect to all ports, So
>
> stunnnel_connect_all_ports as a boolean. That way we don't end up adding
> a boolean for every named port that someone could ever allow.
>
> Not as Minimum privs as many would like, but better for the masses.
It doesn't just have to *connect* to random ports, it has to *bind* to
them. It's a general-purpose wrapper for converting plain text protocols
to their SSL-protected versions, which are often found on different
ports. So for instance you might have stunnel listening on port 465 for
SMTPS and forwarding traffic after decryption to local port 25 (i.e.
bind on 465, connect to 25).
Paul.
More information about the fedora-selinux-list
mailing list