SELinux and stunnel

W. Michael Petullo mike at flyn.org
Tue Jul 20 01:49:36 UTC 2004


I am using stunnel to create an encrypted tunnel for SMTP connections to
my ISP.  I have configured xinetd to execute stunnel appropriately when a
connection is made to localhost:465.  This has stopped working when using
recent strict policies.  I now see the following errors in my system logs:

Jul 19 20:42:16 imp kernel: audit(1090287736.954:0): avc:  denied  {
execute } for  pid=6363 exe=/usr/sbin/xinetd name=stunnel dev=dm-0
ino=48915 scontext=root:system_r:inetd_t tcontext=system_u:object_r:sbin_t
tclass=file
Jul 19 20:42:16 imp kernel: audit(1090287736.954:0): avc:  denied  {
execute_no_trans } for  pid=6363 exe=/usr/sbin/xinetd
path=/usr/sbin/stunnel dev=dm-0 ino=48915 scontext=root:system_r:inetd_t
tcontext=system_u:object_r:sbin_t tclass=file
Jul 19 20:42:16 imp kernel: audit(1090287736.956:0): avc:  denied  { read
} for  pid=6363 exe=/usr/sbin/xinetd path=/usr/sbin/stunnel dev=dm-0
ino=48915 scontext=root:system_r:inetd_t tcontext=system_u:object_r:sbin_t
tclass=file
Jul 19 20:42:17 imp kernel: audit(1090287737.391:0): avc:  denied  {
getattr } for  pid=6363 exe=/usr/sbin/stunnel path=/dev/urandom dev=dm-0
ino=272235 scontext=root:system_r:inetd_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Jul 19 20:42:17 imp kernel: audit(1090287737.395:0): avc:  denied  { read
} for  pid=6363 exe=/usr/sbin/stunnel name=urandom dev=dm-0 ino=272235
scontext=root:system_r:inetd_t tcontext=system_u:object_r:urandom_device_t
tclass=chr_file
Jul 19 20:42:17 imp kernel: audit(1090287737.395:0): avc:  denied  { ioctl
} for  pid=6363 exe=/usr/sbin/stunnel path=/dev/urandom dev=dm-0
ino=272235 scontext=root:system_r:inetd_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file

I am using:

selinux-policy-strict-sources-1.15.5-2
selinux-policy-strict-1.15.5-2
policycoreutils-1.15.1-1
checkpolicy-1.14.1-1
libselinux-devel-1.15.1-1
libselinux-1.15.1-1

Should I put this in bugzilla?

--
Mike




More information about the selinux mailing list