Bug 325721

Summary: SELinux breaks xinetd + stunnel
Product: [Fedora] Fedora Reporter: W. Michael Petullo <mike>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-10 13:31:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description W. Michael Petullo 2007-10-09 23:29:16 UTC 
Description of problem:
I use xinetd and stunnel to tunnel SMTPS traffic to my localhost to my mail
provider. Recently, an update to SELinux's policy broke this configuration.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-17.fc8

How reproducible:
Every time

Steps to Reproduce:
1. Configure xinetd (/etc/xinetd.d/smtps):

service smtps
{
        disable         = no
        socket_type     = stream
        wait            = no
        user            = postfix
        server          = /usr/sbin/stunnel
        server_args     = /etc/stunnel/smtps.conf
        log_on_success += USERID HOST DURATION
        log_on_failure += USERID HOST
}
 
2. Configure stunnel (/etc/stunnel/smtps):

# xinetd config (see stunnel man page)
client=yes
verify=0
connect = mail.example.com:465
TIMEOUTclose = 0

3. service xinetd start 

4. telnet localhost smtps

Actual results:
Telnet reports "Connection refused." I see this in the audit log:

type=AVC msg=audit(1191963205.211:30): avc:  denied  { name_bind } for  pid=2249
comm="xinetd" src=465 scontext=root:system_r:inetd_t:s0
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1191963205.211:30): arch=14 syscall=102 success=no
exit=-13 a0=2 a1=7fd55574 a2=1c a3=7fd555a8 items=0 ppid=1 pid=2249 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="xinetd"
exe="/usr/sbin/xinetd" subj=root:system_r:inetd_t:s0 key=(null)

If I tell SELinux to not enforce its policy then telnet succeeds.

Expected results:
xinetd should be able to bind on the SMTPS port.

Additional info:
Comment 1 Daniel Walsh 2007-10-10 13:31:55 UTC 
I think for something like this, it is best to do custom policy.

# grep xinetd /var/log/audit/audit.log | audit2allow -R -M myinetd
# semodule -i myinetd.pp

Otherwise we will end up having to allow xinetd to listen on any port that you
might want to tunnel through stunnel.