Changeset 2785
- Timestamp:
- 08/20/08 14:15:49
(3 months ago)
- Author:
- cpebenito
- Message:
trunk: man page updates from dan.
-
Files:
-
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
| r2451 |
r2785 |
|
| 1 | | .TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation" |
|---|
| | 1 | .TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation" |
|---|
| 2 | 2 | .SH "NAME" |
|---|
| 3 | | ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon |
|---|
| | 3 | .PP |
|---|
| | 4 | ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons. |
|---|
| 4 | 5 | .SH "DESCRIPTION" |
|---|
| 5 | | |
|---|
| 6 | | Security-Enhanced Linux secures the ftpd server via flexible mandatory access |
|---|
| 7 | | control. |
|---|
| | 6 | .PP |
|---|
| | 7 | Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control. |
|---|
| 8 | 8 | .SH FILE_CONTEXTS |
|---|
| 9 | | SELinux requires files to have an extended attribute to define the file type. |
|---|
| 10 | | Policy governs the access daemons have to these files. |
|---|
| 11 | | If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool. |
|---|
| | 9 | .PP |
|---|
| | 10 | SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files. |
|---|
| 12 | 11 | .TP |
|---|
| 13 | | chcon -R -t public_content_t /var/ftp |
|---|
| | 12 | Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type. |
|---|
| | 13 | .PP |
|---|
| | 14 | .B |
|---|
| | 15 | semanage fcontext -a -t public_content_t "/var/ftp(/.*)?" |
|---|
| 14 | 16 | .TP |
|---|
| 15 | | If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool. |
|---|
| | 17 | .B |
|---|
| | 18 | restorecon -R -v /var/ftp |
|---|
| 16 | 19 | .TP |
|---|
| 17 | | chcon -t public_content_rw_t /var/ftp/incoming |
|---|
| | 20 | Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. |
|---|
| | 21 | .PP |
|---|
| | 22 | .B |
|---|
| | 23 | semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?" |
|---|
| 18 | 24 | .TP |
|---|
| 19 | | You must also turn on the boolean allow_ftpd_anon_write. |
|---|
| 20 | | .TP |
|---|
| 21 | | setsebool -P allow_ftpd_anon_write=1 |
|---|
| 22 | | .TP |
|---|
| 23 | | If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. |
|---|
| 24 | | .TP |
|---|
| 25 | | /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local |
|---|
| 26 | | .br |
|---|
| 27 | | /var/ftp(/.*)? system_u:object_r:public_content_t |
|---|
| 28 | | /var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t |
|---|
| | 25 | .B |
|---|
| | 26 | restorecon -R -v /var/ftp/incoming |
|---|
| 29 | 27 | |
|---|
| 30 | 28 | .SH BOOLEANS |
|---|
| 31 | | SELinux ftp daemon policy is customizable based on least access required. So by |
|---|
| 32 | | default SElinux does not allow users to login and read their home directories. |
|---|
| 33 | | .br |
|---|
| 34 | | If you are setting up this machine as a ftpd server and wish to allow users to access their home |
|---|
| 35 | | directorories, you need to set the ftp_home_dir boolean. |
|---|
| | 29 | .PP |
|---|
| | 30 | SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool. |
|---|
| 36 | 31 | .TP |
|---|
| 37 | | setsebool -P ftp_home_dir 1 |
|---|
| | 32 | Allow ftp servers to read and write files with the public_content_rw_t file type. |
|---|
| | 33 | .PP |
|---|
| | 34 | .B |
|---|
| | 35 | setsebool -P allow_ftpd_anon_write on |
|---|
| 38 | 36 | .TP |
|---|
| 39 | | ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean. |
|---|
| | 37 | Allow ftp servers to read or write files in the user home directories. |
|---|
| | 38 | .PP |
|---|
| | 39 | .B |
|---|
| | 40 | setsebool -P ftp_home_dir on |
|---|
| 40 | 41 | .TP |
|---|
| 41 | | setsebool -P ftpd_is_daemon 1 |
|---|
| 42 | | .br |
|---|
| 43 | | service vsftpd restart |
|---|
| | 42 | Allow ftp servers to read or write all files on the system. |
|---|
| | 43 | .PP |
|---|
| | 44 | .B |
|---|
| | 45 | setsebool -P allow_ftpd_full_access on |
|---|
| | 46 | .TP |
|---|
| | 47 | Allow ftp servers to use cifs for public file transfer services. |
|---|
| | 48 | .PP |
|---|
| | 49 | .B |
|---|
| | 50 | setsebool -P allow_ftpd_use_cifs on |
|---|
| | 51 | .TP |
|---|
| | 52 | Allow ftp servers to use nfs for public file transfer services. |
|---|
| | 53 | .PP |
|---|
| | 54 | .B |
|---|
| | 55 | setsebool -P allow_ftpd_use_nfs on |
|---|
| 44 | 56 | .TP |
|---|
| 45 | 57 | system-config-selinux is a GUI tool available to customize SELinux policy settings. |
|---|
| 46 | 58 | .SH AUTHOR |
|---|
| | 59 | .PP |
|---|
| 47 | 60 | This manual page was written by Dan Walsh <dwalsh@redhat.com>. |
|---|
| 48 | 61 | |
|---|
| 49 | 62 | .SH "SEE ALSO" |
|---|
| 50 | | selinux(8), ftpd(8), chcon(1), setsebool(8) |
|---|
| | 63 | .PP |
|---|
| 51 | 64 | |
|---|
| 52 | | |
|---|
| | 65 | selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) |
|---|
| r2612 |
r2785 |
|
| 23 | 23 | httpd_sys_content_t |
|---|
| 24 | 24 | .EE |
|---|
| 25 | | - Set files with httpd_sys_content_t for content which is available from all httpd s |
|---|
| | 25 | - Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon. |
|---|
| 26 | 26 | .EX |
|---|
| 27 | 27 | httpd_sys_script_exec_t |
|---|
| … | … | |
| 29 | 29 | - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. |
|---|
| 30 | 30 | .EX |
|---|
| 31 | | httpd_sys_script_ro_t |
|---|
| | 31 | httpd_sys_content_rw_t |
|---|
| 32 | 32 | .EE |
|---|
| 33 | | - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access. |
|---|
| | 33 | - Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. |
|---|
| 34 | 34 | .EX |
|---|
| 35 | | httpd_sys_script_rw_t |
|---|
| | 35 | httpd_sys_content_ra_t |
|---|
| 36 | 36 | .EE |
|---|
| 37 | | - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. |
|---|
| 38 | | .EX |
|---|
| 39 | | httpd_sys_script_ra_t |
|---|
| 40 | | .EE |
|---|
| 41 | | - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. |
|---|
| | 37 | - Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. |
|---|
| 42 | 38 | .EX |
|---|
| 43 | 39 | httpd_unconfined_script_exec_t |
|---|
Download in other formats:
* Generating other formats may take time.
