Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 446448

Summary: stunnel init script fails to start with SELinux enforcing
Product: Gentoo Linux Reporter: Sven Vermeulen (RETIRED) <swift>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r9
Package list:
Runtime testing required: ---

Description Sven Vermeulen (RETIRED) gentoo-dev 2012-12-08 10:10:11 UTC 
Stunnel init scripts needs read access on the stunnel configuration files:

"""
 # run_init rc-service stunnel restart
Authenticating root.
 * Stopping stunnel ...
grep: /etc/stunnel/stunnel.conf: Permission denied
grep: /etc/stunnel/stunnel.conf: Permission denied                                                                                                         [ ok ]
 * Starting stunnel ...
grep: /etc/stunnel/stunnel.conf: Permission denied
grep: /etc/stunnel/stunnel.conf: Permission denied
grep: /etc/stunnel/stunnel.conf: Permission denied
grep: /etc/stunnel/stunnel.conf: Permission denied
No limit detected for the number of clients
signal_pipe: FD=3 allocated (non-blocking mode)
signal_pipe: FD=4 allocated (non-blocking mode)
stunnel 4.44 on x86_64-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.0j 10 May 2012
Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6
Reading configuration from file /etc/stunnel/stunnel.conf
PRNG seeded successfully
Initializing SSL context for service ssmtp
/etc/ssl/services/server.key: Permission denied (13)
str_stats: 51 block(s), 4289 data byte(s), 2550 control byte(s)                                           
"""

Denials:
"""
Dec  8 11:03:22 testsys kernel: [ 2710.916659] type=1400 audit(1354961002.699:183): avc:  denied  { read } for  pid=4632 comm="grep" name="stunnel.conf" dev="dm-2" ino=394168 scontext=system_u:system_r:initrc_t tcontext=root:object_r:stunnel_etc_t tclass=file
"""

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-08 10:42:31 UTC 
Also denial for accessing the certificate(s) and keys:

"""
Dec  8 11:22:24 testsys kernel: [ 3852.644409] type=1400 audit(1354962144.426:210): avc:  denied  { search } for  pid=16146 comm="stunnel" name="services" dev="dm-2" ino=394153 scontext=system_u:system_r:stunnel_t tcontext=root:object_r:cert_t tclass=dir
"""
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-17 18:55:15 UTC 
r9 in hardened-dev overlay
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-21 20:52:30 UTC 
r9 in main repo, ~arch'ed
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2013-01-19 21:17:27 UTC 
Forgot to mention... stabilized a while ago ;)