Bug 325721 - SELinux breaks xinetd + stunnel
SELinux breaks xinetd + stunnel
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-10-09 19:29 EDT by W. Michael Petullo
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-10 09:31:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description W. Michael Petullo 2007-10-09 19:29:16 EDT
Description of problem:
I use xinetd and stunnel to tunnel SMTPS traffic to my localhost to my mail
provider. Recently, an update to SELinux's policy broke this configuration.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Configure xinetd (/etc/xinetd.d/smtps):

service smtps
        disable         = no
        socket_type     = stream
        wait            = no
        user            = postfix
        server          = /usr/sbin/stunnel
        server_args     = /etc/stunnel/smtps.conf
        log_on_success += USERID HOST DURATION
        log_on_failure += USERID HOST
2. Configure stunnel (/etc/stunnel/smtps):

# xinetd config (see stunnel man page)
connect = mail.example.com:465
TIMEOUTclose = 0

3. service xinetd start 

4. telnet localhost smtps

Actual results:
Telnet reports "Connection refused." I see this in the audit log:

type=AVC msg=audit(1191963205.211:30): avc:  denied  { name_bind } for  pid=2249
comm="xinetd" src=465 scontext=root:system_r:inetd_t:s0
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1191963205.211:30): arch=14 syscall=102 success=no
exit=-13 a0=2 a1=7fd55574 a2=1c a3=7fd555a8 items=0 ppid=1 pid=2249 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="xinetd"
exe="/usr/sbin/xinetd" subj=root:system_r:inetd_t:s0 key=(null)

If I tell SELinux to not enforce its policy then telnet succeeds.

Expected results:
xinetd should be able to bind on the SMTPS port.

Additional info:
Comment 1 Daniel Walsh 2007-10-10 09:31:55 EDT
I think for something like this, it is best to do custom policy.

# grep xinetd /var/log/audit/audit.log | audit2allow -R -M myinetd
# semodule -i myinetd.pp

Otherwise we will end up having to allow xinetd to listen on any port that you
might want to tunnel through stunnel.

Note You need to log in before you can comment on or make changes to this bug.