Bug 1479383 - stunnel >=5.41 needs additional rules.
stunnel >=5.41 needs additional rules.
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.3
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-08 09:13 EDT by Frank Büttner
Modified: 2017-08-14 08:50 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frank Büttner 2017-08-08 09:13:51 EDT
Description of problem:
Newer versions need additional selinux rules to work. 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch


audit:
type=AVC msg=audit(1502196618.804:2350): avc:  denied  { sys_nice } for  pid=50312 comm="stunnel" capability=23  scontext=system_u:system_r:stunnel_t:s0 tcontext=system_u:system_r:stunnel_t:s0 tclass=capability
type=AVC msg=audit(1502196618.804:2350): avc:  denied  { setsched } for  pid=50312 comm="stunnel" scontext=system_u:system_r:stunnel_t:s0 tcontext=system_u:system_r:stunnel_t:s0 tclass=process



Additional rule:
require {
        type stunnel_t;
        class capability { dac_override dac_read_search sys_nice };
        class process setsched;
}

#============= stunnel_t ==============
allow stunnel_t self:capability { dac_override dac_read_search sys_nice };
allow stunnel_t self:process setsched;

Note You need to log in before you can comment on or make changes to this bug.