# DESC: selinux policy for stunnel
#
# Author:   petre rodan <kaiowas@gentoo.org>
#
ifdef(`distro_gentoo', `

daemon_domain(stunnel)

can_network(stunnel_t)
allow stunnel_t port_type:tcp_socket name_connect;

allow stunnel_t self:capability { setgid setuid sys_chroot };
allow stunnel_t self:fifo_file { read write };
allow stunnel_t self:tcp_socket { read write };
allow stunnel_t self:unix_stream_socket { connect create };

r_dir_file(stunnel_t, etc_t)
', `
inetd_child_domain(stunnel, tcp)
allow stunnel_t self:capability sys_chroot;

bool stunnel_is_daemon false;
if (stunnel_is_daemon) {
# Policy to run stunnel as a daemon should go here.
allow stunnel_t self:tcp_socket rw_stream_socket_perms;
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
}
')

type stunnel_etc_t, file_type, sysadmfile;
r_dir_file(stunnel_t, stunnel_etc_t)
allow stunnel_t stunnel_port_t:tcp_socket { name_bind };