Confining stunnel started from init script
Allen Kistler
an037-ooai8 at yahoo.com
Fri Jul 3 06:21:16 UTC 2009
Since F7, I've started stunnel as a daemon from an init script. In F11,
I'm confining it using SELinux, instead of just letting it run as
initrc_t. However, I've got two questions.
First:
I think at some point, it might be worth submitting what I've done as an
enhancement, minor though it may be, to stunnel. In my case, I use
stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail.
Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t
(the pre-existing label for whatever port the end user chooses to use)
as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've
done is:
bool stunnel_can_sendmail false;
if (stunnel_can_sendmail) {
allow stunnel_t smtp_port_t : tcp_socket name_bind;
};
Does this seem the most reasonable way to do things with ports already
labeled? For a more general policy, that would mean a Boolean for every
port label. Hmm....
Second:
What's the syntax in the TE file to get descriptive text attached to a
Boolean declaration? Right now I get:
# semanage boolean -l | grep stunnel_can_sendmail
stunnel_can_sendmail -> on stunnel_can_sendmail
But I'd prefer something more informative and cosmetically pleasing like:
# semanage boolean -l | grep xen_use_nfs
xen_use_nfs -> off Allow xen to manage nfs files
Thanks for any info and assistance.
More information about the fedora-selinux-list
mailing list