Bug 676381

Summary: [SELINUX] stunnel does not trainsition from initrc_t/unconfined_t to stunnel_t
Product: Red Hat Enterprise Linux 5 Reporter: Robert Jaroszuk <zim>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.5CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-10 14:52:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Robert Jaroszuk 2011-02-09 17:03:07 UTC 
Description of problem:

I just set up stunnel as a service (daemon, not from xinetd) and I would like to make stunnel type transition from default initrc_t to stunnel_t.
The reason for that is to create a SSL terminator/proxy server, where hundreds of SSL connections will be terminated and stunnel will redirect those connections to other server in local network.

[hundreds of SSL connections] -> stunnel_server:port ----(unencrypted connection) ----> other_server:port

So I have this daemon, started by initrc:
system_u:system_r:initrc_t:s0    2024 ?        Ss     0:00 /usr/sbin/stunnel /etc/stunnel/stunnel.conf

File has correct filecontext:
-rwxr-xr-x  root root system_u:object_r:stunnel_exec_t:s0 /usr/sbin/stunnel

Booleans:
stunnel_disable_trans --> off
stunnel_is_daemon --> on

Version-Release number of selected component (if applicable):
CentOS release 5.5 (Final)
2.6.18-194.26.1.el5PAE
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

stunnel-4.15-2.el5.1
selinux-policy-targeted-2.4.6-279.el5_5.2
libselinux-devel-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
selinux-policy-2.4.6-279.el5_5.2
selinux-policy-devel-2.4.6-279.el5_5.2
libselinux-1.33.4-5.5.el5

Steps to Reproduce:
Install stunnel,
wget http://www.gaztronics.net/rc/stunnel.gz
gzip -d stunnel.gz
mv stunnel /etc/init.d/
chmod 755 /etc/init.d/stunnel
/sbin/chkconfig --add stunnel
create config file in /etc/stunnel/stunnel.conf
setsebool -P stunnel_is_daemon 1
reboot, so stunnel should be started by initrc.
# ps xZ|grep stunnel
system_u:system_r:initrc_t:s0    2024 ?        Ssl    0:00 /usr/sbin/stunnel /etc/stunnel/stunnel.conf

Additional info:

I tried to create a selinux module for stunnel to force type transition, but everytime I try to load the module I have an error message:


libsepol.scope_copy_callback: stunnel: Duplicate declaration in module: bool stunnel_disable_trans
libsemanage.semanage_link_sandbox: Link packages failed
smodule: Failed!
Comment 1 Daniel Walsh 2011-02-10 14:48:19 UTC 
Rhel5 has the following

ifdef(`distro_gentoo',`
	init_daemon_domain(stunnel_t,stunnel_exec_t)
',`
	inetd_tcp_service_domain(stunnel_t,stunnel_exec_t)
')

Meaning in Red Hat we expect you to run stunnel as a xinetd daemon.
Comment 2 Daniel Walsh 2011-02-10 14:52:20 UTC 
policy_module(mystunnel, 1.0)

gen_requires(`
	type stunnel_t;
	type stunnel_exec_t;
	type initrc_t;
	typeattribute daemon;
')

typeattribute stunnel_t daemon;
domain_type(stunnel_t)
domain_entry_file(stunnel_t,stunnel_exec_t)

role system_r types stunnel_t;

init_dontaudit_use_fds(stunnel_t)
term_dontaudit_use_console(stunnel_t)

init_use_script_ptys(stunnel_t)

domain_auto_trans(initrc_t,stunnel_exec_t,stunnel_t)
allow initrc_t stunnel_t:fd use;
allow stunnel_t initrc_t:fd use;
allow stunnel_t initrc_t:fifo_file rw_file_perms;
allow stunnel_t initrc_t:process sigchld;
allow initrc_t stunnel_t:process { siginh };
dontaudit initrc_t stunnel_t:process { noatsecure rlimitinh };