Hide Forgot
Description of problem: I just set up stunnel as a service (daemon, not from xinetd) and I would like to make stunnel type transition from default initrc_t to stunnel_t. The reason for that is to create a SSL terminator/proxy server, where hundreds of SSL connections will be terminated and stunnel will redirect those connections to other server in local network. [hundreds of SSL connections] -> stunnel_server:port ----(unencrypted connection) ----> other_server:port So I have this daemon, started by initrc: system_u:system_r:initrc_t:s0 2024 ? Ss 0:00 /usr/sbin/stunnel /etc/stunnel/stunnel.conf File has correct filecontext: -rwxr-xr-x root root system_u:object_r:stunnel_exec_t:s0 /usr/sbin/stunnel Booleans: stunnel_disable_trans --> off stunnel_is_daemon --> on Version-Release number of selected component (if applicable): CentOS release 5.5 (Final) 2.6.18-194.26.1.el5PAE SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted stunnel-4.15-2.el5.1 selinux-policy-targeted-2.4.6-279.el5_5.2 libselinux-devel-1.33.4-5.5.el5 libselinux-python-1.33.4-5.5.el5 libselinux-utils-1.33.4-5.5.el5 selinux-policy-2.4.6-279.el5_5.2 selinux-policy-devel-2.4.6-279.el5_5.2 libselinux-1.33.4-5.5.el5 Steps to Reproduce: Install stunnel, wget http://www.gaztronics.net/rc/stunnel.gz gzip -d stunnel.gz mv stunnel /etc/init.d/ chmod 755 /etc/init.d/stunnel /sbin/chkconfig --add stunnel create config file in /etc/stunnel/stunnel.conf setsebool -P stunnel_is_daemon 1 reboot, so stunnel should be started by initrc. # ps xZ|grep stunnel system_u:system_r:initrc_t:s0 2024 ? Ssl 0:00 /usr/sbin/stunnel /etc/stunnel/stunnel.conf Additional info: I tried to create a selinux module for stunnel to force type transition, but everytime I try to load the module I have an error message: libsepol.scope_copy_callback: stunnel: Duplicate declaration in module: bool stunnel_disable_trans libsemanage.semanage_link_sandbox: Link packages failed smodule: Failed!
Rhel5 has the following ifdef(`distro_gentoo',` init_daemon_domain(stunnel_t,stunnel_exec_t) ',` inetd_tcp_service_domain(stunnel_t,stunnel_exec_t) ') Meaning in Red Hat we expect you to run stunnel as a xinetd daemon.
policy_module(mystunnel, 1.0) gen_requires(` type stunnel_t; type stunnel_exec_t; type initrc_t; typeattribute daemon; ') typeattribute stunnel_t daemon; domain_type(stunnel_t) domain_entry_file(stunnel_t,stunnel_exec_t) role system_r types stunnel_t; init_dontaudit_use_fds(stunnel_t) term_dontaudit_use_console(stunnel_t) init_use_script_ptys(stunnel_t) domain_auto_trans(initrc_t,stunnel_exec_t,stunnel_t) allow initrc_t stunnel_t:fd use; allow stunnel_t initrc_t:fd use; allow stunnel_t initrc_t:fifo_file rw_file_perms; allow stunnel_t initrc_t:process sigchld; allow initrc_t stunnel_t:process { siginh }; dontaudit initrc_t stunnel_t:process { noatsecure rlimitinh };