stewartsmith
commented
10 months ago Now I'm trying to understand the code flow around here as well....
Looks like mount.efs can launch stunnel, but that then the watchdog can also do that, so you end up with a bit of a weird situation as to how the tunnel could be running (and indeed from the look of the code, two places that can set it up).
It's plausible there's a much simpler way to achieve the stunnel and watchdog functionality would be with a templated systemd service, along with the systemd watchdog functionality? Thus mount.efs could kick that off in the common case?
major
I maintain the efs-utils package in Fedora and I'm working to bring it into Red Hat Enterprise Linux. However, I would like to avoid running the watchdog daemon and stunnel process unconfined. Moving it into a confined SELinux context would be a security improvement.
However, when the watchdog spawns an stunnel process for an encrypted EFS mount, the stunnel process has no parent. This makes SELinux confinement difficult because a policy matching
stunnelwould end up confining other uses of stunnel on the system outside of EFS.Based on reading the comments in the watchdog, it makes sense that a watchdog process being a parent of the stunnel process could potentially be problematic, especially if the watchdog process is restarted. It would take down the stunnel process and bring it back up, which would disrupt the filesystem mount.
Are there any possibilities here of allowing the watchdog daemon to be the parent process of the stunnel processes it creates? This would make SELinux confinement a bit easier and would make it clear in the process list where these stunnel processes came from.
Thanks!