Confining stunnel started from init script
Daniel J Walsh
dwalsh at redhat.com
Mon Jul 6 14:50:48 UTC 2009
On 07/06/2009 09:04 AM, Paul Howarth wrote:
> On 06/07/09 13:58, Daniel J Walsh wrote:
>> On 07/03/2009 02:21 AM, Allen Kistler wrote:
>>> Since F7, I've started stunnel as a daemon from an init script. In F11,
>>> I'm confining it using SELinux, instead of just letting it run as
>>> initrc_t. However, I've got two questions.
>>>
>>> First:
>>> I think at some point, it might be worth submitting what I've done as an
>>> enhancement, minor though it may be, to stunnel. In my case, I use
>>> stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail.
>>> Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t
>>> (the pre-existing label for whatever port the end user chooses to use)
>>> as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've
>>> done is:
>>>
>>> bool stunnel_can_sendmail false;
>>>
>>> if (stunnel_can_sendmail) {
>>> allow stunnel_t smtp_port_t : tcp_socket name_bind;
>>> };
>>>
>>> Does this seem the most reasonable way to do things with ports already
>>> labeled? For a more general policy, that would mean a Boolean for every
>>> port label. Hmm....
>>>
>>> Second:
>>> What's the syntax in the TE file to get descriptive text attached to a
>>> Boolean declaration? Right now I get:
>>>
>>> # semanage boolean -l | grep stunnel_can_sendmail
>>> stunnel_can_sendmail -> on stunnel_can_sendmail
>>>
>>> But I'd prefer something more informative and cosmetically pleasing
>>> like:
>>>
>>> # semanage boolean -l | grep xen_use_nfs
>>> xen_use_nfs -> off Allow xen to manage nfs files
>>>
>>> Thanks for any info and assistance.
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> If stunnel has to connect to random ports I would prefer you just allow
>> it to connect to all ports, So
>>
>> stunnnel_connect_all_ports as a boolean. That way we don't end up adding
>> a boolean for every named port that someone could ever allow.
>>
>> Not as Minimum privs as many would like, but better for the masses.
>
> It doesn't just have to *connect* to random ports, it has to *bind* to
> them. It's a general-purpose wrapper for converting plain text protocols
> to their SSL-protected versions, which are often found on different
> ports. So for instance you might have stunnel listening on port 465 for
> SMTPS and forwarding traffic after decryption to local port 25 (i.e.
> bind on 465, connect to 25).
>
> Paul.
Ok I misspoke and maybe the boolean should be something like
stunnel_relay_all_ports
But you need to allow it to bind and connect to all ports on the system.
More information about the fedora-selinux-list
mailing list