Bug 325721 - SELinux breaks xinetd + stunnel
Summary: SELinux breaks xinetd + stunnel
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-09 23:29 UTC by W. Michael Petullo
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-10-10 13:31:55 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description W. Michael Petullo 2007-10-09 23:29:16 UTC
Description of problem:
I use xinetd and stunnel to tunnel SMTPS traffic to my localhost to my mail
provider. Recently, an update to SELinux's policy broke this configuration.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-17.fc8

How reproducible:
Every time

Steps to Reproduce:
1. Configure xinetd (/etc/xinetd.d/smtps):

service smtps
{
        disable         = no
        socket_type     = stream
        wait            = no
        user            = postfix
        server          = /usr/sbin/stunnel
        server_args     = /etc/stunnel/smtps.conf
        log_on_success += USERID HOST DURATION
        log_on_failure += USERID HOST
}
 
2. Configure stunnel (/etc/stunnel/smtps):

# xinetd config (see stunnel man page)
client=yes
verify=0
connect = mail.example.com:465
TIMEOUTclose = 0

3. service xinetd start 

4. telnet localhost smtps

Actual results:
Telnet reports "Connection refused." I see this in the audit log:

type=AVC msg=audit(1191963205.211:30): avc:  denied  { name_bind } for  pid=2249
comm="xinetd" src=465 scontext=root:system_r:inetd_t:s0
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1191963205.211:30): arch=14 syscall=102 success=no
exit=-13 a0=2 a1=7fd55574 a2=1c a3=7fd555a8 items=0 ppid=1 pid=2249 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="xinetd"
exe="/usr/sbin/xinetd" subj=root:system_r:inetd_t:s0 key=(null)

If I tell SELinux to not enforce its policy then telnet succeeds.

Expected results:
xinetd should be able to bind on the SMTPS port.

Additional info:

Comment 1 Daniel Walsh 2007-10-10 13:31:55 UTC
I think for something like this, it is best to do custom policy.

# grep xinetd /var/log/audit/audit.log | audit2allow -R -M myinetd
# semodule -i myinetd.pp

Otherwise we will end up having to allow xinetd to listen on any port that you
might want to tunnel through stunnel.


Note You need to log in before you can comment on or make changes to this bug.