On 06/07/09 13:58, Daniel J Walsh wrote:
On 07/03/2009 02:21 AM, Allen Kistler wrote:
Since F7, I've started stunnel as a daemon from an init script. In F11,
I'm confining it using SELinux, instead of just letting it run as
initrc_t. However, I've got two questions.
First:
I think at some point, it might be worth submitting what I've done as an
enhancement, minor though it may be, to stunnel. In my case, I use
stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail.
Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t
(the pre-existing label for whatever port the end user chooses to use)
as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've
done is:
bool stunnel_can_sendmail false;
if (stunnel_can_sendmail) {
allow stunnel_t smtp_port_t : tcp_socket name_bind;
};
Does this seem the most reasonable way to do things with ports already
labeled? For a more general policy, that would mean a Boolean for every
port label. Hmm....
Second:
What's the syntax in the TE file to get descriptive text attached to a
Boolean declaration? Right now I get:
# semanage boolean -l | grep stunnel_can_sendmail
stunnel_can_sendmail -> on stunnel_can_sendmail
But I'd prefer something more informative and cosmetically pleasing like:
# semanage boolean -l | grep xen_use_nfs
xen_use_nfs -> off Allow xen to manage nfs files
Thanks for any info and assistance.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If stunnel has to connect to random ports I would prefer you just allow
it to connect to all ports, So
stunnnel_connect_all_ports as a boolean. That way we don't end up adding
a boolean for every named port that someone could ever allow.
Not as Minimum privs as many would like, but better for the masses.
It doesn't just have to *connect* to random ports, it has to *bind* to
them. It's a general-purpose wrapper for converting plain text protocols
to their SSL-protected versions, which are often found on different
ports. So for instance you might have stunnel listening on port 465 for
SMTPS and forwarding traffic after decryption to local port 25 (i.e.
bind on 465, connect to 25).
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list