Bug 509498 - Boolean stunnel_is_daemon doesn't exist
Boolean stunnel_is_daemon doesn't exist
Status: CLOSED DUPLICATE of bug 509502
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-03 01:43 EDT by Allen Kistler
Modified: 2009-07-06 17:04 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-06 17:04:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Allen Kistler 2009-07-03 01:43:52 EDT
Description of problem:
I start stunnel as a daemon from an init script.  I'm confining it using SELinux.  However, at one point in my development I got an AVC denial that setroubleshoot/sealert suggested I remedy using a Boolean, stunnel_is_daemon.  No such Boolean exists in /selinux/booleans.  I also searched the selinux-policy source and only found a reference to it in booleans-mls.conf, but nowhere else.  I suspect that the Boolean is obsolete and that the help text from the troubleshooter just needs to be updated to eliminate the reference.

Version-Release number of selected component (if applicable):
setroubleshoot-2.1.14-1.fc11

How reproducible:
Always

Steps to Reproduce:
1. Configure stunnel to bind to just about any port (e.g., tcp/465)
2. Run setroubleshoot-server
3. Run stunnel as stunnel_t
  
Actual results:
--- begin ---
SELinux is preventing stunnel (stunnel_t) "name_bind" access to device <Unknown>.

--- snip ---

Allowing Access:

If you want the SSL Tunnel to run as a daemon you need to turn on the
stunnel_is_daemon boolean: "setsebool -P stunnel_is_daemon=1". You also need to
tell SELinux which port SSL Tunnel will be running on. semanage port -a -t
stunnel_port_t -p tcp 465
--- end ---

Expected results:
"Allowing Access" shouldn't mention stunnel_is_daemon, since it appears to be obsolete.  "device <Unknown>" seems a little shady, too, but that a different bug.

Additional info:

For reference, below is the denial record for which the troubleshooter tried to help.  Note that this bug report is only about the erroneous help text, not the denial itself.

node=ack602 type=AVC msg=audit(1245975626.960:170): avc:  denied  { name_bind } for  pid=4872 comm="stunnel" src=465 scontext=unconfined_u:system_r:stunnel_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
Comment 1 Daniel Walsh 2009-07-06 17:04:03 EDT

*** This bug has been marked as a duplicate of bug 509502 ***

Note You need to log in before you can comment on or make changes to this bug.