Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 446448 - stunnel init script fails to start with SELinux enforcing
Summary: stunnel init script fails to start with SELinux enforcing
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
Whiteboard: sec-policy r9
Depends on:
Reported: 2012-12-08 10:10 UTC by Sven Vermeulen (RETIRED)
Modified: 2013-01-19 21:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sven Vermeulen (RETIRED) gentoo-dev 2012-12-08 10:10:11 UTC
Stunnel init scripts needs read access on the stunnel configuration files:

 # run_init rc-service stunnel restart
Authenticating root.
 * Stopping stunnel ...
grep: /etc/stunnel/stunnel.conf: Permission denied
grep: /etc/stunnel/stunnel.conf: Permission denied                                                                                                         [ ok ]
 * Starting stunnel ...
grep: /etc/stunnel/stunnel.conf: Permission denied
grep: /etc/stunnel/stunnel.conf: Permission denied
grep: /etc/stunnel/stunnel.conf: Permission denied
grep: /etc/stunnel/stunnel.conf: Permission denied
No limit detected for the number of clients
signal_pipe: FD=3 allocated (non-blocking mode)
signal_pipe: FD=4 allocated (non-blocking mode)
stunnel 4.44 on x86_64-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.0j 10 May 2012
Reading configuration from file /etc/stunnel/stunnel.conf
PRNG seeded successfully
Initializing SSL context for service ssmtp
/etc/ssl/services/server.key: Permission denied (13)
str_stats: 51 block(s), 4289 data byte(s), 2550 control byte(s)                                           

Dec  8 11:03:22 testsys kernel: [ 2710.916659] type=1400 audit(1354961002.699:183): avc:  denied  { read } for  pid=4632 comm="grep" name="stunnel.conf" dev="dm-2" ino=394168 scontext=system_u:system_r:initrc_t tcontext=root:object_r:stunnel_etc_t tclass=file

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-08 10:42:31 UTC
Also denial for accessing the certificate(s) and keys:

Dec  8 11:22:24 testsys kernel: [ 3852.644409] type=1400 audit(1354962144.426:210): avc:  denied  { search } for  pid=16146 comm="stunnel" name="services" dev="dm-2" ino=394153 scontext=system_u:system_r:stunnel_t tcontext=root:object_r:cert_t tclass=dir
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-17 18:55:15 UTC
r9 in hardened-dev overlay
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-21 20:52:30 UTC
r9 in main repo, ~arch'ed
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2013-01-19 21:17:27 UTC
Forgot to mention... stabilized a while ago ;)