From: dominick.grift@gmail.com (grift)
Date: Sun, 09 Dec 2012 15:04:06 +0100
Subject: [refpolicy] [PATCH 11/11] Updates on stunnel policy
In-Reply-To: <1355000222-7297-12-git-send-email-sven.vermeulen@siphos.be>
References: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be>
	<1355000222-7297-12-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1355061846.1797.76.camel@localhost>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, 2012-12-08 at 21:57 +0100, Sven Vermeulen wrote:
> Allow the stunnel domain to bind on any port (its primary purpose is to provide
> encrypted tunnel services regardless of the underlying service).
> 
> Allow the stunnel domain to read generic certs (be it for the mutual
> authentication, for which the CA certificate needs to be provided, or for its
> own certificates if placed in /etc/ssl).

This was merged, thanks

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  stunnel.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/stunnel.te b/stunnel.te
> index bdfee61..da05f13 100644
> --- a/stunnel.te
> +++ b/stunnel.te
> @@ -53,6 +53,7 @@ corenet_all_recvfrom_netlabel(stunnel_t)
>  corenet_tcp_sendrecv_generic_if(stunnel_t)
>  corenet_tcp_sendrecv_generic_node(stunnel_t)
>  corenet_tcp_sendrecv_all_ports(stunnel_t)
> +corenet_tcp_bind_all_ports(stunnel_t)
>  corenet_tcp_bind_generic_node(stunnel_t)
>  
>  corenet_sendrecv_all_client_packets(stunnel_t)
> @@ -73,6 +74,7 @@ auth_use_nsswitch(stunnel_t)
>  
>  logging_send_syslog_msg(stunnel_t)
>  
> +miscfiles_read_generic_certs(stunnel_t)
>  miscfiles_read_localization(stunnel_t)
>  
>  userdom_dontaudit_use_unpriv_user_fds(stunnel_t)