Since F7, I've started stunnel as a daemon from an init script. In F11, I'm confining it using SELinux, instead of just letting it run as initrc_t. However, I've got two questions.
First: I think at some point, it might be worth submitting what I've done as an enhancement, minor though it may be, to stunnel. In my case, I use stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail. Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t (the pre-existing label for whatever port the end user chooses to use) as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've done is:
bool stunnel_can_sendmail false;
if (stunnel_can_sendmail) { allow stunnel_t smtp_port_t : tcp_socket name_bind; };
Does this seem the most reasonable way to do things with ports already labeled? For a more general policy, that would mean a Boolean for every port label. Hmm....
Second: What's the syntax in the TE file to get descriptive text attached to a Boolean declaration? Right now I get:
# semanage boolean -l | grep stunnel_can_sendmail stunnel_can_sendmail -> on stunnel_can_sendmail
But I'd prefer something more informative and cosmetically pleasing like:
# semanage boolean -l | grep xen_use_nfs xen_use_nfs -> off Allow xen to manage nfs files
Thanks for any info and assistance.
On Fri, 03 Jul 2009 01:21:16 -0500 Allen Kistler an037-ooai8@yahoo.com wrote:
Since F7, I've started stunnel as a daemon from an init script. In F11, I'm confining it using SELinux, instead of just letting it run as initrc_t. However, I've got two questions.
First: I think at some point, it might be worth submitting what I've done as an enhancement, minor though it may be, to stunnel. In my case, I use stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail. Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t (the pre-existing label for whatever port the end user chooses to use) as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've done is:
bool stunnel_can_sendmail false;
if (stunnel_can_sendmail) { allow stunnel_t smtp_port_t : tcp_socket name_bind; };
Does this seem the most reasonable way to do things with ports already labeled? For a more general policy, that would mean a Boolean for every port label. Hmm....
This looks like exactly the right thing to me.
Second: What's the syntax in the TE file to get descriptive text attached to a Boolean declaration? Right now I get:
# semanage boolean -l | grep stunnel_can_sendmail stunnel_can_sendmail -> on stunnel_can_sendmail
But I'd prefer something more informative and cosmetically pleasing like:
# semanage boolean -l | grep xen_use_nfs xen_use_nfs -> off Allow xen to manage nfs files
Thanks for any info and assistance.
## <desc> ## <p> ## Allow samba to export NFS volumes. ## </p> ## </desc> gen_tunable(samba_share_nfs, false)
Paul.
Paul Howarth wrote:
On Fri, 03 Jul 2009 01:21:16 -0500 Allen Kistler an037-ooai8@yahoo.com wrote:
[snip]
Second: What's the syntax in the TE file to get descriptive text attached to a Boolean declaration? Right now I get:
# semanage boolean -l | grep stunnel_can_sendmail stunnel_can_sendmail -> on stunnel_can_sendmail
But I'd prefer something more informative and cosmetically pleasing like:
# semanage boolean -l | grep xen_use_nfs xen_use_nfs -> off Allow xen to manage nfs files
Thanks for any info and assistance.
## <desc> ## <p> ## Allow samba to export NFS volumes. ## </p> ## </desc> gen_tunable(samba_share_nfs, false)
checkmodule doesn't like that syntax in the TE file. I guess I need to install some macro preprocessors for the not-so-vanilla stuff.
On 07/03/2009 02:21 AM, Allen Kistler wrote:
Since F7, I've started stunnel as a daemon from an init script. In F11, I'm confining it using SELinux, instead of just letting it run as initrc_t. However, I've got two questions.
First: I think at some point, it might be worth submitting what I've done as an enhancement, minor though it may be, to stunnel. In my case, I use stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail. Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t (the pre-existing label for whatever port the end user chooses to use) as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've done is:
bool stunnel_can_sendmail false;
if (stunnel_can_sendmail) { allow stunnel_t smtp_port_t : tcp_socket name_bind; };
Does this seem the most reasonable way to do things with ports already labeled? For a more general policy, that would mean a Boolean for every port label. Hmm....
Second: What's the syntax in the TE file to get descriptive text attached to a Boolean declaration? Right now I get:
# semanage boolean -l | grep stunnel_can_sendmail stunnel_can_sendmail -> on stunnel_can_sendmail
But I'd prefer something more informative and cosmetically pleasing like:
# semanage boolean -l | grep xen_use_nfs xen_use_nfs -> off Allow xen to manage nfs files
Thanks for any info and assistance.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If stunnel has to connect to random ports I would prefer you just allow it to connect to all ports, So
stunnnel_connect_all_ports as a boolean. That way we don't end up adding a boolean for every named port that someone could ever allow.
Not as Minimum privs as many would like, but better for the masses.
On 06/07/09 13:58, Daniel J Walsh wrote:
On 07/03/2009 02:21 AM, Allen Kistler wrote:
Since F7, I've started stunnel as a daemon from an init script. In F11, I'm confining it using SELinux, instead of just letting it run as initrc_t. However, I've got two questions.
First: I think at some point, it might be worth submitting what I've done as an enhancement, minor though it may be, to stunnel. In my case, I use stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail. Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t (the pre-existing label for whatever port the end user chooses to use) as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've done is:
bool stunnel_can_sendmail false;
if (stunnel_can_sendmail) { allow stunnel_t smtp_port_t : tcp_socket name_bind; };
Does this seem the most reasonable way to do things with ports already labeled? For a more general policy, that would mean a Boolean for every port label. Hmm....
Second: What's the syntax in the TE file to get descriptive text attached to a Boolean declaration? Right now I get:
# semanage boolean -l | grep stunnel_can_sendmail stunnel_can_sendmail -> on stunnel_can_sendmail
But I'd prefer something more informative and cosmetically pleasing like:
# semanage boolean -l | grep xen_use_nfs xen_use_nfs -> off Allow xen to manage nfs files
Thanks for any info and assistance.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If stunnel has to connect to random ports I would prefer you just allow it to connect to all ports, So
stunnnel_connect_all_ports as a boolean. That way we don't end up adding a boolean for every named port that someone could ever allow.
Not as Minimum privs as many would like, but better for the masses.
It doesn't just have to *connect* to random ports, it has to *bind* to them. It's a general-purpose wrapper for converting plain text protocols to their SSL-protected versions, which are often found on different ports. So for instance you might have stunnel listening on port 465 for SMTPS and forwarding traffic after decryption to local port 25 (i.e. bind on 465, connect to 25).
Paul.
On 07/06/2009 09:04 AM, Paul Howarth wrote:
On 06/07/09 13:58, Daniel J Walsh wrote:
On 07/03/2009 02:21 AM, Allen Kistler wrote:
Since F7, I've started stunnel as a daemon from an init script. In F11, I'm confining it using SELinux, instead of just letting it run as initrc_t. However, I've got two questions.
First: I think at some point, it might be worth submitting what I've done as an enhancement, minor though it may be, to stunnel. In my case, I use stunnel to establish an SSL tunnel to my ISP's smtps port from sendmail. Since I bind stunnel locally to tcp/465, I can't define stunnel_port_t (the pre-existing label for whatever port the end user chooses to use) as tcp/465 because tcp/465 is already labeled as smtp_port_t. What I've done is:
bool stunnel_can_sendmail false;
if (stunnel_can_sendmail) { allow stunnel_t smtp_port_t : tcp_socket name_bind; };
Does this seem the most reasonable way to do things with ports already labeled? For a more general policy, that would mean a Boolean for every port label. Hmm....
Second: What's the syntax in the TE file to get descriptive text attached to a Boolean declaration? Right now I get:
# semanage boolean -l | grep stunnel_can_sendmail stunnel_can_sendmail -> on stunnel_can_sendmail
But I'd prefer something more informative and cosmetically pleasing like:
# semanage boolean -l | grep xen_use_nfs xen_use_nfs -> off Allow xen to manage nfs files
Thanks for any info and assistance.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If stunnel has to connect to random ports I would prefer you just allow it to connect to all ports, So
stunnnel_connect_all_ports as a boolean. That way we don't end up adding a boolean for every named port that someone could ever allow.
Not as Minimum privs as many would like, but better for the masses.
It doesn't just have to *connect* to random ports, it has to *bind* to them. It's a general-purpose wrapper for converting plain text protocols to their SSL-protected versions, which are often found on different ports. So for instance you might have stunnel listening on port 465 for SMTPS and forwarding traffic after decryption to local port 25 (i.e. bind on 465, connect to 25).
Paul.
Ok I misspoke and maybe the boolean should be something like stunnel_relay_all_ports But you need to allow it to bind and connect to all ports on the system.
selinux@lists.fedoraproject.org