Daniel J Walsh wrote:
> Confined apps writing to /etc is frowned upon. /etc/ should be
> considered R/O. If you move this file to /var/run/stunnel and change
> the config, it should work.
Nope.
type=AVC msg=audit(1205188277.824:2538): avc: denied { getattr } for
pid=1696 comm="stunnel" path="/var/run/stunnel/random_seed" dev=md1
ino=36907 scontext=unconfined_u:system_r:stunnel_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
(And shouldn't it really go under /var/lib/stunnel, since it's
supposed to survive a reboot?)
> You have to define ports that stunnel can listen to.
>
> semanage port -a -t stunnel_port_t -P tcp 2873
OK, that got me past the bind denial. Unfortunately, it looks like
stunnel isn't allowed to access /usr/bin, so it can't start the rsync
daemon:
type=AVC msg=audit(1205188277.890:2539): avc: denied { search } for
pid=1698 comm="stunnel" name="bin" dev=md1 ino=2686986
scontext=unconfined_u:system_r:stunnel_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=dir
Thanks!
--
========================================================================
Ian Pilcher arequipeno@xxxxxxxxx
========================================================================
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
