# DESC: selinux policy for stunnel

#

# Author:   petre rodan <kaiowas@gentoo.org>

#

ifdef(`distro_gentoo', `

daemon_domain(stunnel)

can_network(stunnel_t)

allow stunnel_t port_type:tcp_socket name_connect;

allow stunnel_t self:capability { setgid setuid sys_chroot };

allow stunnel_t self:fifo_file { read write };

allow stunnel_t self:tcp_socket { read write };

allow stunnel_t self:unix_stream_socket { connect create };

r_dir_file(stunnel_t, etc_t)

', `

inetd_child_domain(stunnel, tcp)

allow stunnel_t self:capability sys_chroot;

bool stunnel_is_daemon false;

if (stunnel_is_daemon) {

# Policy to run stunnel as a daemon should go here.

allow stunnel_t self:tcp_socket rw_stream_socket_perms;

allow stunnel_t stunnel_port_t:tcp_socket name_bind;

}

')

type stunnel_etc_t, file_type, sysadmfile;

r_dir_file(stunnel_t, stunnel_etc_t)

allow stunnel_t stunnel_port_t:tcp_socket { name_bind };