On 06/07/09 13:58, Daniel J Walsh wrote:
On 07/03/2009 02:21 AM, Allen Kistler wrote:Since F7, I've started stunnel as a daemon from an init script. In F11, I'm confining it using SELinux, instead of just letting it run as initrc_t. However, I've got two questions. First: I think at some point, it might be worth submitting what I've done as an enhancement, minor though it may be, to stunnel. In my case, I use stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail. Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t (the pre-existing label for whatever port the end user chooses to use) as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've done is: bool stunnel_can_sendmail false; if (stunnel_can_sendmail) { allow stunnel_t smtp_port_t : tcp_socket name_bind; }; Does this seem the most reasonable way to do things with ports already labeled? For a more general policy, that would mean a Boolean for every port label. Hmm.... Second: What's the syntax in the TE file to get descriptive text attached to a Boolean declaration? Right now I get: # semanage boolean -l | grep stunnel_can_sendmail stunnel_can_sendmail -> on stunnel_can_sendmail But I'd prefer something more informative and cosmetically pleasing like: # semanage boolean -l | grep xen_use_nfs xen_use_nfs -> off Allow xen to manage nfs files Thanks for any info and assistance. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-listIf stunnel has to connect to random ports I would prefer you just allow it to connect to all ports, So stunnnel_connect_all_ports as a boolean. That way we don't end up adding a boolean for every named port that someone could ever allow. Not as Minimum privs as many would like, but better for the masses.
It doesn't just have to *connect* to random ports, it has to *bind* to them. It's a general-purpose wrapper for converting plain text protocols to their SSL-protected versions, which are often found on different ports. So for instance you might have stunnel listening on port 465 for SMTPS and forwarding traffic after decryption to local port 25 (i.e. bind on 465, connect to 25).
Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
