1stunnel_selinux(8)          SELinux Policy stunnel          stunnel_selinux(8)
2
3
4

NAME

6       stunnel_selinux  -  Security Enhanced Linux Policy for the stunnel pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  stunnel  processes  via  flexible
11       mandatory access control.
12
13       The  stunnel processes execute with the stunnel_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep stunnel_t
20
21
22

ENTRYPOINTS

24       The  stunnel_t  SELinux type can be entered via the stunnel_exec_t file
25       type.
26
27       The default entrypoint paths for the stunnel_t domain are  the  follow‐
28       ing:
29
30       /usr/bin/stunnel, /usr/sbin/stunnel
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       stunnel  policy  is very flexible allowing users to setup their stunnel
40       processes in as secure a method as possible.
41
42       The following process types are defined for stunnel:
43
44       stunnel_t
45
46       Note: semanage permissive -a stunnel_t can be used to make the  process
47       type  stunnel_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  stunnel
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run stunnel with the tightest access possi‐
56       ble.
57
58
59
60       If you want to allow all domains to execute in fips_mode, you must turn
61       on the fips_mode boolean. Enabled by default.
62
63       setsebool -P fips_mode 1
64
65
66

PORT TYPES

68       SELinux defines port types to represent TCP and UDP ports.
69
70       You  can  see  the  types associated with a port by using the following
71       command:
72
73       semanage port -l
74
75
76       Policy governs the access  confined  processes  have  to  these  ports.
77       SELinux  stunnel  policy is very flexible allowing users to setup their
78       stunnel processes in as secure a method as possible.
79
80       The following port types are defined for stunnel:
81
82
83       stunnel_port_t
84
85
86
87       MANAGED FILES
88
89              The SELinux process type stunnel_t can manage files labeled with
90              the  following  file  types.   The  paths listed are the default
91              paths for these file types.  Note the processes UID  still  need
92              to have DAC permissions.
93
94              cluster_conf_t
95
96                   /etc/cluster(/.*)?
97
98              cluster_var_lib_t
99
100                   /var/lib/pcsd(/.*)?
101                   /var/lib/cluster(/.*)?
102                   /var/lib/openais(/.*)?
103                   /var/lib/pengine(/.*)?
104                   /var/lib/corosync(/.*)?
105                   /usr/lib/heartbeat(/.*)?
106                   /var/lib/heartbeat(/.*)?
107                   /var/lib/pacemaker(/.*)?
108
109              cluster_var_run_t
110
111                   /var/run/crm(/.*)?
112                   /var/run/cman_.*
113                   /var/run/rsctmp(/.*)?
114                   /var/run/aisexec.*
115                   /var/run/heartbeat(/.*)?
116                   /var/run/pcsd-ruby.socket
117                   /var/run/corosync-qnetd(/.*)?
118                   /var/run/corosync-qdevice(/.*)?
119                   /var/run/corosync.pid
120                   /var/run/cpglockd.pid
121                   /var/run/rgmanager.pid
122                   /var/run/cluster/rgmanager.sk
123
124              krb5_host_rcache_t
125
126                   /var/tmp/krb5_0.rcache2
127                   /var/cache/krb5rcache(/.*)?
128                   /var/tmp/nfs_0
129                   /var/tmp/DNS_25
130                   /var/tmp/host_0
131                   /var/tmp/imap_0
132                   /var/tmp/HTTP_23
133                   /var/tmp/HTTP_48
134                   /var/tmp/ldap_55
135                   /var/tmp/ldap_487
136                   /var/tmp/ldapmap1_0
137
138              root_t
139
140                   /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
141                   /
142                   /initrd
143
144              stunnel_log_t
145
146                   /var/log/stunnel.*
147
148              stunnel_tmp_t
149
150
151              stunnel_var_run_t
152
153                   /var/run/stunnel(/.*)?
154
155

FILE CONTEXTS

157       SELinux requires files to have an extended attribute to define the file
158       type.
159
160       You can see the context of a file using the -Z option to ls
161
162       Policy governs the access  confined  processes  have  to  these  files.
163       SELinux  stunnel  policy is very flexible allowing users to setup their
164       stunnel processes in as secure a method as possible.
165
166       STANDARD FILE CONTEXT
167
168       SELinux defines the file context types for the stunnel, if  you  wanted
169       to store files with these types in a diffent paths, you need to execute
170       the semanage command to sepecify alternate labeling and  then  use  re‐
171       storecon to put the labels on disk.
172
173       semanage   fcontext   -a   -t   stunnel_var_run_t  '/srv/mystunnel_con‐
174       tent(/.*)?'
175       restorecon -R -v /srv/mystunnel_content
176
177       Note: SELinux often uses regular expressions  to  specify  labels  that
178       match multiple files.
179
180       The following file types are defined for stunnel:
181
182
183
184       stunnel_etc_t
185
186       -  Set  files with the stunnel_etc_t type, if you want to store stunnel
187       files in the /etc directories.
188
189
190
191       stunnel_exec_t
192
193       - Set files with the stunnel_exec_t type, if you want to transition  an
194       executable to the stunnel_t domain.
195
196
197       Paths:
198            /usr/bin/stunnel, /usr/sbin/stunnel
199
200
201       stunnel_log_t
202
203       -  Set files with the stunnel_log_t type, if you want to treat the data
204       as stunnel log data, usually stored under the /var/log directory.
205
206
207
208       stunnel_tmp_t
209
210       - Set files with the stunnel_tmp_t type, if you want to  store  stunnel
211       temporary files in the /tmp directories.
212
213
214
215       stunnel_var_run_t
216
217       -  Set  files with the stunnel_var_run_t type, if you want to store the
218       stunnel files under the /run or /var/run directory.
219
220
221
222       Note: File context can be temporarily modified with the chcon  command.
223       If  you want to permanently change the file context you need to use the
224       semanage fcontext command.  This will modify the SELinux labeling data‐
225       base.  You will need to use restorecon to apply the labels.
226
227

COMMANDS

229       semanage  fcontext  can also be used to manipulate default file context
230       mappings.
231
232       semanage permissive can also be used to manipulate  whether  or  not  a
233       process type is permissive.
234
235       semanage  module can also be used to enable/disable/install/remove pol‐
236       icy modules.
237
238       semanage port can also be used to manipulate the port definitions
239
240       semanage boolean can also be used to manipulate the booleans
241
242
243       system-config-selinux is a GUI tool available to customize SELinux pol‐
244       icy settings.
245
246

AUTHOR

248       This manual page was auto-generated using sepolicy manpage .
249
250

SEE ALSO

252       selinux(8),  stunnel(8),  semanage(8),  restorecon(8), chcon(1), sepol‐
253       icy(8), setsebool(8)
254
255
256
257stunnel                            21-06-09                 stunnel_selinux(8)
Impressum