m (add cat) |
m (moved SELinux/FAQ/ProposedAddition Proposed additions to the FAQ to SELinux FAQ/ProposedAddition Proposed additions to the FAQ: Proper naming scheme) |
(No difference)
| |
Revision as of 19:53, 8 June 2009
This is not the formal FAQ. If you have a question and/or answer you would like to appear in the FAQ. Please put it here. And we will try to answer it.
In Red Hat Enterprise Linux 4, how do I write policy to allow a domain to use pam_unix.so?
Very few domains in the SELinux world are allowed to read the /etc/shadow file. There are constraint rules that prevent policy writers from writing code like.
allow mydomain_t shadow_t:file read;
In RHEL4 you can setup your domain to use the unix_chkpwd command. The easiest way is to use the unix_chkpwd attribute. So if you were writing policy for an ftpd daemon you would write something like daemon_domain(vsftpd, auth_chkpwd'). This would create a context where vsftpd_t -> chkpwd_exec_t -> system_chkpwd_t which can read /etc/shadow, while vsftpd_t is not able to read it.
In FC5/RHEL5 you will add the rule
auth_domtrans_chk_passwd(vsftpd_t)
How do I make directories available via anonymous ftp ?
- ) more work required.
gedit /etc/vsftpd/vsftpd.conf
add anon_root=/home/my_anonymous_ftp_directory
file|save
gnome-terminal
ls -lZ -d /home/my_anonymous_ftp_directory/
?? rem: chcon -t public_content_t /home/my_anonymous_ftp_directory/ -R ??
setsebool -P ftp_home_dir=1
How do I configure boot time mounting of iso images so that they can be available for anonymous ftp access ?
By default, selinux-policy-target will block mounting of iso images from /etc/fstab. The following steps are used to mount the iso image with appropriate selinux contexts:
su -c 'cp /etc/fstab /etc/fstab.before_iso_mount'
gedit /etc/fstab
Add a mount command for the iso image:
/home/my_cd_or_dvd_image.iso /home/mounted_disc/ iso9660 loop,ro,fscontext=system_u:object_r:public_content_t 0 0
Test that the mount line is OK:
mount /home/my_cd_or_dvd_image.iso
Test that the mount is automatically available after reboot...
Are there any presentations on using SELinux ?
At Colorado Software Summit, Thomas Cameron gave a presentation entitled 'SELinux for Mere Mortals - Or, Don't turn it off', which is [available as a pdf].