gentoo policy for stunnel

All of lore.kernel.org
 help / color / mirror / Atom feed

* gentoo policy for stunnel
@ 2004-11-15 16:09 petre rodan
  2004-11-16  8:28 ` Thomas Bleher
  2004-11-18 20:05 ` James Carter
  0 siblings, 2 replies; 4+ messages in thread
From: petre rodan @ 2004-11-15 16:09 UTC (permalink / raw)
  To: selinux


[-- Attachment #1.1: Type: text/plain, Size: 499 bytes --]


Hi,

attached you'll find the policy we use for stunnel [1]

[1] http://www.stunnel.org
	Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no 
changes to the daemon's code.

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: stunnel.fc --]
[-- Type: text/plain, Size: 175 bytes --]

/usr/sbin/stunnel	--	system_u:object_r:stunnel_exec_t
/etc/stunnel(/.*)?          	system_u:object_r:stunnel_etc_t
/var/run/stunnel(/.*)?		system_u:object_r:stunnel_var_run_t

[-- Attachment #1.3: stunnel.te --]
[-- Type: text/plain, Size: 565 bytes --]

# DESC: selinux policy for stunnel
#
# Author:   petre rodan <kaiowas@gentoo.org>
#

type stunnel_port_t, port_type;

daemon_domain(stunnel, `, privlog')

can_network(stunnel_t)

type stunnel_etc_t, file_type, sysadmfile;

allow stunnel_t self:capability { setgid setuid sys_chroot };
allow stunnel_t self:fifo_file { read write };
allow stunnel_t self:tcp_socket { read write };
allow stunnel_t self:unix_stream_socket { connect create };

allow stunnel_t stunnel_port_t:tcp_socket { name_bind };

r_dir_file(stunnel_t, stunnel_etc_t)
r_dir_file(stunnel_t, etc_t)

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: gentoo policy for stunnel
  2004-11-15 16:09 gentoo policy for stunnel petre rodan
@ 2004-11-16  8:28 ` Thomas Bleher
  2004-11-16  9:34   ` petre rodan
  2004-11-18 20:05 ` James Carter
  1 sibling, 1 reply; 4+ messages in thread
From: Thomas Bleher @ 2004-11-16  8:28 UTC (permalink / raw)
  To: petre rodan; +Cc: selinux

[-- Attachment #1: Type: text/plain, Size: 540 bytes --]

* petre rodan <kaiowas@gentoo.org> [2004-11-15 17:51]:
> 
> Hi,
> 
> attached you'll find the policy we use for stunnel [1]
> 
> 
> type stunnel_port_t, port_type;

Are there any default ports for stunnel? If yes, can you provide a patch
to net_contexts? If no, it would be nice to have a line like "to use
stunnel for IMAP, add the following line to net_contexts..." and so on.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: gentoo policy for stunnel
  2004-11-16  8:28 ` Thomas Bleher
@ 2004-11-16  9:34   ` petre rodan
  0 siblings, 0 replies; 4+ messages in thread
From: petre rodan @ 2004-11-16  9:34 UTC (permalink / raw)
  To: Thomas Bleher; +Cc: selinux

[-- Attachment #1: Type: text/plain, Size: 684 bytes --]


Hi,

Thomas Bleher wrote:
> * petre rodan <kaiowas@gentoo.org> [2004-11-15 17:51]:
[..]
>>type stunnel_port_t, port_type;
> Are there any default ports for stunnel? If yes, can you provide a patch
> to net_contexts? If no, it would be nice to have a line like "to use
> stunnel for IMAP, add the following line to net_contexts..." and so on.

as you have correctly guessed, there is no default port whatsoever for this daemon.

since it's up to the user to assign the label to his particular port net_contexts might contain a
#ifdef(`stunnel.te', `portcon tcp xxxx system_u:object_r:stunnel_port_t')

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: gentoo policy for stunnel
  2004-11-15 16:09 gentoo policy for stunnel petre rodan
  2004-11-16  8:28 ` Thomas Bleher
@ 2004-11-18 20:05 ` James Carter
  1 sibling, 0 replies; 4+ messages in thread
From: James Carter @ 2004-11-18 20:05 UTC (permalink / raw)
  To: petre rodan; +Cc: SELinux

Added.

I also removed the duplicate stunnel specification in inetd.fc.

By the way, the privlog attribute comes free of charge with the
daemon_core_rules macro (which is used by daemon_domain macro).

On Mon, 2004-11-15 at 11:09, petre rodan wrote:
> Hi,
> 
> attached you'll find the policy we use for stunnel [1]
> 
> [1] http://www.stunnel.org
> 	Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no 
> changes to the daemon's code.
> 
> bye,
> peter
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2004-11-18 20:03 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-15 16:09 gentoo policy for stunnel petre rodan
2004-11-16  8:28 ` Thomas Bleher
2004-11-16  9:34   ` petre rodan
2004-11-18 20:05 ` James Carter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.