1stunnel_selinux(8)          SELinux Policy stunnel          stunnel_selinux(8)
2
3
4

NAME

6       stunnel_selinux  -  Security Enhanced Linux Policy for the stunnel pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  stunnel  processes  via  flexible
11       mandatory access control.
12
13       The  stunnel processes execute with the stunnel_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep stunnel_t
20
21
22

ENTRYPOINTS

24       The  stunnel_t  SELinux type can be entered via the stunnel_exec_t file
25       type.
26
27       The default entrypoint paths for the stunnel_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/stunnel, /usr/sbin/stunnel
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       stunnel  policy  is very flexible allowing users to setup their stunnel
40       processes in as secure a method as possible.
41
42       The following process types are defined for stunnel:
43
44       stunnel_t
45
46       Note: semanage permissive -a stunnel_t can be used to make the  process
47       type  stunnel_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  stunnel
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run stunnel with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66

PORT TYPES

68       SELinux defines port types to represent TCP and UDP ports.
69
70       You  can  see  the  types associated with a port by using the following
71       command:
72
73       semanage port -l
74
75
76       Policy governs the access  confined  processes  have  to  these  ports.
77       SELinux  stunnel  policy is very flexible allowing users to setup their
78       stunnel processes in as secure a method as possible.
79
80       The following port types are defined for stunnel:
81
82
83       stunnel_port_t
84
85
86
87       MANAGED FILES
88
89              The SELinux process type stunnel_t can manage files labeled with
90              the  following  file  types.   The  paths listed are the default
91              paths for these file types.  Note the processes UID  still  need
92              to have DAC permissions.
93
94              cluster_conf_t
95
96                   /etc/cluster(/.*)?
97
98              cluster_var_lib_t
99
100                   /var/lib/pcsd(/.*)?
101                   /var/lib/cluster(/.*)?
102                   /var/lib/openais(/.*)?
103                   /var/lib/pengine(/.*)?
104                   /var/lib/corosync(/.*)?
105                   /usr/lib/heartbeat(/.*)?
106                   /var/lib/heartbeat(/.*)?
107                   /var/lib/pacemaker(/.*)?
108
109              cluster_var_run_t
110
111                   /var/run/crm(/.*)?
112                   /var/run/cman_.*
113                   /var/run/rsctmp(/.*)?
114                   /var/run/aisexec.*
115                   /var/run/heartbeat(/.*)?
116                   /var/run/corosync-qnetd(/.*)?
117                   /var/run/corosync-qdevice(/.*)?
118                   /var/run/corosync.pid
119                   /var/run/cpglockd.pid
120                   /var/run/rgmanager.pid
121                   /var/run/cluster/rgmanager.sk
122
123              root_t
124
125                   /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
126                   /
127                   /initrd
128
129              stunnel_log_t
130
131                   /var/log/stunnel.*
132
133              stunnel_var_run_t
134
135                   /var/run/stunnel(/.*)?
136
137

FILE CONTEXTS

139       SELinux requires files to have an extended attribute to define the file
140       type.
141
142       You can see the context of a file using the -Z option to ls
143
144       Policy governs the access  confined  processes  have  to  these  files.
145       SELinux  stunnel  policy is very flexible allowing users to setup their
146       stunnel processes in as secure a method as possible.
147
148       STANDARD FILE CONTEXT
149
150       SELinux defines the file context types for the stunnel, if  you  wanted
151       to store files with these types in a diffent paths, you need to execute
152       the semanage command  to  sepecify  alternate  labeling  and  then  use
153       restorecon to put the labels on disk.
154
155       semanage   fcontext   -a   -t   stunnel_var_run_t  '/srv/mystunnel_con‐
156       tent(/.*)?'
157       restorecon -R -v /srv/mystunnel_content
158
159       Note: SELinux often uses regular expressions  to  specify  labels  that
160       match multiple files.
161
162       The following file types are defined for stunnel:
163
164
165
166       stunnel_etc_t
167
168       -  Set  files with the stunnel_etc_t type, if you want to store stunnel
169       files in the /etc directories.
170
171
172
173       stunnel_exec_t
174
175       - Set files with the stunnel_exec_t type, if you want to transition  an
176       executable to the stunnel_t domain.
177
178
179       Paths:
180            /usr/bin/stunnel, /usr/sbin/stunnel
181
182
183       stunnel_log_t
184
185       -  Set files with the stunnel_log_t type, if you want to treat the data
186       as stunnel log data, usually stored under the /var/log directory.
187
188
189
190       stunnel_tmp_t
191
192       - Set files with the stunnel_tmp_t type, if you want to  store  stunnel
193       temporary files in the /tmp directories.
194
195
196
197       stunnel_var_run_t
198
199       -  Set  files with the stunnel_var_run_t type, if you want to store the
200       stunnel files under the /run or /var/run directory.
201
202
203
204       Note: File context can be temporarily modified with the chcon  command.
205       If  you want to permanently change the file context you need to use the
206       semanage fcontext command.  This will modify the SELinux labeling data‐
207       base.  You will need to use restorecon to apply the labels.
208
209

COMMANDS

211       semanage  fcontext  can also be used to manipulate default file context
212       mappings.
213
214       semanage permissive can also be used to manipulate  whether  or  not  a
215       process type is permissive.
216
217       semanage  module can also be used to enable/disable/install/remove pol‐
218       icy modules.
219
220       semanage port can also be used to manipulate the port definitions
221
222       semanage boolean can also be used to manipulate the booleans
223
224
225       system-config-selinux is a GUI tool available to customize SELinux pol‐
226       icy settings.
227
228

AUTHOR

230       This manual page was auto-generated using sepolicy manpage .
231
232

SEE ALSO

234       selinux(8),  stunnel(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
235       icy(8), setsebool(8)
236
237
238
239stunnel                            20-05-05                 stunnel_selinux(8)
Impressum