Confining stunnel started from init script

Mon Jul 6 12:58:59 UTC 2009

On 07/03/2009 02:21 AM, Allen Kistler wrote:
> Since F7, I've started stunnel as a daemon from an init script.  In F11,
> I'm confining it using SELinux, instead of just letting it run as
> initrc_t. However, I've got two questions.
>
> First:
> I think at some point, it might be worth submitting what I've done as an
> enhancement, minor though it may be, to stunnel. In my case, I use
> stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail.
> Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t
> (the pre-existing label for whatever port the end user chooses to use)
> as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've
> done is:
>
> bool stunnel_can_sendmail false;
>
> if (stunnel_can_sendmail) {
> allow stunnel_t smtp_port_t : tcp_socket name_bind;
> };
>
> Does this seem the most reasonable way to do things with ports already
> labeled? For a more general policy, that would mean a Boolean for every
> port label. Hmm....
>
> Second:
> What's the syntax in the TE file to get descriptive text attached to a
> Boolean declaration? Right now I get:
>
> # semanage boolean -l | grep stunnel_can_sendmail
> stunnel_can_sendmail -> on stunnel_can_sendmail
>
> But I'd prefer something more informative and cosmetically pleasing like:
>
> # semanage boolean -l | grep xen_use_nfs
> xen_use_nfs -> off Allow xen to manage nfs files
>
> Thanks for any info and assistance.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If stunnel has to connect to random ports I would prefer you just allow 
it to connect to all ports,  So

stunnnel_connect_all_ports as a boolean.  That way we don't end up 
adding a boolean for every named port that someone could ever allow.

Not as Minimum privs as many would like, but better for the masses.