From Fedora Project Wiki
m (moved SELinux/FAQ/ProposedAddition Proposed additions to the FAQ to SELinux FAQ/ProposedAddition Proposed additions to the FAQ: Proper naming scheme) |
m (internal link cleaning) |
||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 27: | Line 27: | ||
== How do I configure boot time mounting of iso images so that they can be available for anonymous ftp access ? == | == How do I configure boot time mounting of iso images so that they can be available for anonymous ftp access ? == | ||
By default, selinux-policy-target will block mounting of iso images from /etc/fstab. The following steps are used to mount the iso image with appropriate selinux contexts: | By default, selinux-policy-target will block mounting of iso images from /etc/fstab. The following steps are used to mount the iso image with appropriate selinux contexts: | ||
<pre> su -c 'cp /etc/fstab /etc/fstab.before_iso_mount' | |||
gedit /etc/fstab | * Create a folder to mount the iso in | ||
</pre> | <pre>mkdir /home/mounted_disc/</pre> | ||
Add a mount command for the iso image: | * Set the selinux context for mounting | ||
<pre>/home/my_cd_or_dvd_image.iso | <pre>chcon mnt_t /home/mounted_disc/</pre> | ||
* Backup your fstab | |||
<pre>su -c 'cp /etc/fstab /etc/fstab.before_iso_mount'</pre> | |||
* edit fstab | |||
<pre>su -c 'gedit /etc/fstab'</pre> | |||
* Add a mount command for the iso image: | |||
<pre>/home/my_cd_or_dvd_image.iso /home/mounted_disc/ iso9660 \ | |||
_netdev,ro,loop,fscontext=system_u:object_r:public_content_t:s0 0 0 | |||
</pre> | </pre> | ||
Test that the mount is automatically available after reboot... | * Save and exit gedit | ||
* Test that the mount line is OK | |||
<pre>mount /home/my_cd_or_dvd_image.iso</pre> | |||
* Test that the mount is automatically available after reboot... | |||
<pre>reboot | |||
mount</pre> | |||
* Now use the [[SELinux_FAQ/ProposedAddition_Proposed_additions_to_the_FAQ#How_do_I_make_directories_available_via_anonymous_ftp_.3F|previous]] ftp share config to set up ftp sharing of the mounted iso | |||
== Are there any presentations on using SELinux ? == | == Are there any presentations on using SELinux ? == | ||
| Line 42: | Line 52: | ||
At Colorado Software Summit, Thomas Cameron gave a presentation entitled 'SELinux for Mere Mortals - Or, Don't turn it off', which is [[http://people.redhat.com/tcameron/.css-2008/SELinux_For_More_Mortals/SELinux_For_Mere_Mortals.pdf available as a pdf]]. | At Colorado Software Summit, Thomas Cameron gave a presentation entitled 'SELinux for Mere Mortals - Or, Don't turn it off', which is [[http://people.redhat.com/tcameron/.css-2008/SELinux_For_More_Mortals/SELinux_For_Mere_Mortals.pdf available as a pdf]]. | ||
[[Category: | [[Category:Draft Documentation]] | ||
Latest revision as of 22:02, 17 September 2016
This is not the formal FAQ. If you have a question and/or answer you would like to appear in the FAQ. Please put it here. And we will try to answer it.
In Red Hat Enterprise Linux 4, how do I write policy to allow a domain to use pam_unix.so?
Very few domains in the SELinux world are allowed to read the /etc/shadow file. There are constraint rules that prevent policy writers from writing code like.
allow mydomain_t shadow_t:file read;
In RHEL4 you can setup your domain to use the unix_chkpwd command. The easiest way is to use the unix_chkpwd attribute. So if you were writing policy for an ftpd daemon you would write something like daemon_domain(vsftpd, auth_chkpwd'). This would create a context where vsftpd_t -> chkpwd_exec_t -> system_chkpwd_t which can read /etc/shadow, while vsftpd_t is not able to read it.
In FC5/RHEL5 you will add the rule
auth_domtrans_chk_passwd(vsftpd_t)
How do I make directories available via anonymous ftp ?
- ) more work required.
gedit /etc/vsftpd/vsftpd.conf
add anon_root=/home/my_anonymous_ftp_directory
file|save
gnome-terminal
ls -lZ -d /home/my_anonymous_ftp_directory/
?? rem: chcon -t public_content_t /home/my_anonymous_ftp_directory/ -R ??
setsebool -P ftp_home_dir=1
How do I configure boot time mounting of iso images so that they can be available for anonymous ftp access ?
By default, selinux-policy-target will block mounting of iso images from /etc/fstab. The following steps are used to mount the iso image with appropriate selinux contexts:
- Create a folder to mount the iso in
mkdir /home/mounted_disc/
- Set the selinux context for mounting
chcon mnt_t /home/mounted_disc/
- Backup your fstab
su -c 'cp /etc/fstab /etc/fstab.before_iso_mount'
- edit fstab
su -c 'gedit /etc/fstab'
- Add a mount command for the iso image:
/home/my_cd_or_dvd_image.iso /home/mounted_disc/ iso9660 \
_netdev,ro,loop,fscontext=system_u:object_r:public_content_t:s0 0 0
- Save and exit gedit
- Test that the mount line is OK
mount /home/my_cd_or_dvd_image.iso
- Test that the mount is automatically available after reboot...
reboot
mount
- Now use the previous ftp share config to set up ftp sharing of the mounted iso
Are there any presentations on using SELinux ?
At Colorado Software Summit, Thomas Cameron gave a presentation entitled 'SELinux for Mere Mortals - Or, Don't turn it off', which is [available as a pdf].