-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ian Pilcher wrote:
Daniel J Walsh wrote:
Confined apps writing to /etc is frowned upon. /etc/ should be considered R/O. If you move this file to /var/run/stunnel and change the config, it should work.
Nope.
type=AVC msg=audit(1205188277.824:2538): avc: denied { getattr } for pid=1696 comm="stunnel" path="/var/run/stunnel/random_seed" dev=md1 ino=36907 scontext=unconfined_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
(And shouldn't it really go under /var/lib/stunnel, since it's supposed to survive a reboot?)
You have to define ports that stunnel can listen to.
semanage port -a -t stunnel_port_t -P tcp 2873
OK, that got me past the bind denial. Unfortunately, it looks like stunnel isn't allowed to access /usr/bin, so it can't start the rsync daemon:
type=AVC msg=audit(1205188277.890:2539): avc: denied { search } for pid=1698 comm="stunnel" name="bin" dev=md1 ino=2686986 scontext=unconfined_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir
Thanks!
Ok, I have been avoiding this. I have never used stunnel. Is it common for stunnel to start the application that is going to run within the tunnel? Or do you just setup the tunnel and the user then runs tools like rsync or telnet?
So do we need a rsync_domtrans(stunnel_t) to start the rsync server or does it just need to execute the client?