From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat,  8 Dec 2012 21:57:02 +0100
Subject: [refpolicy] [PATCH 11/11] Updates on stunnel policy
In-Reply-To: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be>
References: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1355000222-7297-12-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Allow the stunnel domain to bind on any port (its primary purpose is to provide
encrypted tunnel services regardless of the underlying service).

Allow the stunnel domain to read generic certs (be it for the mutual
authentication, for which the CA certificate needs to be provided, or for its
own certificates if placed in /etc/ssl).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 stunnel.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/stunnel.te b/stunnel.te
index bdfee61..da05f13 100644
--- a/stunnel.te
+++ b/stunnel.te
@@ -53,6 +53,7 @@ corenet_all_recvfrom_netlabel(stunnel_t)
 corenet_tcp_sendrecv_generic_if(stunnel_t)
 corenet_tcp_sendrecv_generic_node(stunnel_t)
 corenet_tcp_sendrecv_all_ports(stunnel_t)
+corenet_tcp_bind_all_ports(stunnel_t)
 corenet_tcp_bind_generic_node(stunnel_t)
 
 corenet_sendrecv_all_client_packets(stunnel_t)
@@ -73,6 +74,7 @@ auth_use_nsswitch(stunnel_t)
 
 logging_send_syslog_msg(stunnel_t)
 
+miscfiles_read_generic_certs(stunnel_t)
 miscfiles_read_localization(stunnel_t)
 
 userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
-- 
1.7.8.6