On 07/03/2009 02:21 AM, Allen Kistler wrote:
Since F7, I've started stunnel as a daemon from an init script. In F11,
I'm confining it using SELinux, instead of just letting it run as
initrc_t. However, I've got two questions.
First:
I think at some point, it might be worth submitting what I've done as an
enhancement, minor though it may be, to stunnel. In my case, I use
stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail.
Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t
(the pre-existing label for whatever port the end user chooses to use)
as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've
done is:
bool stunnel_can_sendmail false;
if (stunnel_can_sendmail) {
allow stunnel_t smtp_port_t : tcp_socket name_bind;
};
Does this seem the most reasonable way to do things with ports already
labeled? For a more general policy, that would mean a Boolean for every
port label. Hmm....
Second:
What's the syntax in the TE file to get descriptive text attached to a
Boolean declaration? Right now I get:
# semanage boolean -l | grep stunnel_can_sendmail
stunnel_can_sendmail -> on stunnel_can_sendmail
But I'd prefer something more informative and cosmetically pleasing like:
# semanage boolean -l | grep xen_use_nfs
xen_use_nfs -> off Allow xen to manage nfs files
Thanks for any info and assistance.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If stunnel has to connect to random ports I would prefer you just allow
it to connect to all ports, So
stunnnel_connect_all_ports as a boolean. That way we don't end up
adding a boolean for every named port that someone could ever allow.
Not as Minimum privs as many would like, but better for the masses.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
