Description of problem: I use xinetd and stunnel to tunnel SMTPS traffic to my localhost to my mail provider. Recently, an update to SELinux's policy broke this configuration. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-17.fc8 How reproducible: Every time Steps to Reproduce: 1. Configure xinetd (/etc/xinetd.d/smtps): service smtps { disable = no socket_type = stream wait = no user = postfix server = /usr/sbin/stunnel server_args = /etc/stunnel/smtps.conf log_on_success += USERID HOST DURATION log_on_failure += USERID HOST } 2. Configure stunnel (/etc/stunnel/smtps): # xinetd config (see stunnel man page) client=yes verify=0 connect = mail.example.com:465 TIMEOUTclose = 0 3. service xinetd start 4. telnet localhost smtps Actual results: Telnet reports "Connection refused." I see this in the audit log: type=AVC msg=audit(1191963205.211:30): avc: denied { name_bind } for pid=2249 comm="xinetd" src=465 scontext=root:system_r:inetd_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1191963205.211:30): arch=14 syscall=102 success=no exit=-13 a0=2 a1=7fd55574 a2=1c a3=7fd555a8 items=0 ppid=1 pid=2249 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="xinetd" exe="/usr/sbin/xinetd" subj=root:system_r:inetd_t:s0 key=(null) If I tell SELinux to not enforce its policy then telnet succeeds. Expected results: xinetd should be able to bind on the SMTPS port. Additional info:
I think for something like this, it is best to do custom policy. # grep xinetd /var/log/audit/audit.log | audit2allow -R -M myinetd # semodule -i myinetd.pp Otherwise we will end up having to allow xinetd to listen on any port that you might want to tunnel through stunnel.