trunk: man page updates from dan.

This commit is contained in:
Chris PeBenito 2008-08-20 19:15:49 +00:00
parent 770c015f88
commit b4f23e680a
2 changed files with 51 additions and 42 deletions

View File

@ -1,52 +1,65 @@
.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation" .TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation"
.SH "NAME" .SH "NAME"
ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon .PP
ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
.SH "DESCRIPTION" .SH "DESCRIPTION"
.PP
Security-Enhanced Linux secures the ftpd server via flexible mandatory access Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
control.
.SH FILE_CONTEXTS .SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type. .PP
Policy governs the access daemons have to these files. SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files.
If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool.
.TP .TP
chcon -R -t public_content_t /var/ftp Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
.PP
.B
semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
.TP .TP
If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool. .B
restorecon -R -v /var/ftp
.TP .TP
chcon -t public_content_rw_t /var/ftp/incoming Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
.PP
.B
semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
.TP .TP
You must also turn on the boolean allow_ftpd_anon_write. .B
.TP restorecon -R -v /var/ftp/incoming
setsebool -P allow_ftpd_anon_write=1
.TP
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
.TP
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
.br
/var/ftp(/.*)? system_u:object_r:public_content_t
/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
.SH BOOLEANS .SH BOOLEANS
SELinux ftp daemon policy is customizable based on least access required. So by .PP
default SElinux does not allow users to login and read their home directories. SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
.br
If you are setting up this machine as a ftpd server and wish to allow users to access their home
directorories, you need to set the ftp_home_dir boolean.
.TP .TP
setsebool -P ftp_home_dir 1 Allow ftp servers to read and write files with the public_content_rw_t file type.
.PP
.B
setsebool -P allow_ftpd_anon_write on
.TP .TP
ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean. Allow ftp servers to read or write files in the user home directories.
.PP
.B
setsebool -P ftp_home_dir on
.TP .TP
setsebool -P ftpd_is_daemon 1 Allow ftp servers to read or write all files on the system.
.br .PP
service vsftpd restart .B
setsebool -P allow_ftpd_full_access on
.TP
Allow ftp servers to use cifs for public file transfer services.
.PP
.B
setsebool -P allow_ftpd_use_cifs on
.TP
Allow ftp servers to use nfs for public file transfer services.
.PP
.B
setsebool -P allow_ftpd_use_nfs on
.TP .TP
system-config-selinux is a GUI tool available to customize SELinux policy settings. system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR .SH AUTHOR
.PP
This manual page was written by Dan Walsh <dwalsh@redhat.com>. This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO" .SH "SEE ALSO"
selinux(8), ftpd(8), chcon(1), setsebool(8) .PP
selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)

View File

@ -22,23 +22,19 @@ The following file contexts types are defined for httpd:
.EX .EX
httpd_sys_content_t httpd_sys_content_t
.EE .EE
- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon. - Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon.
.EX .EX
httpd_sys_script_exec_t httpd_sys_script_exec_t
.EE .EE
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
.EX .EX
httpd_sys_script_ro_t httpd_sys_content_rw_t
.EE .EE
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access. - Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
.EX .EX
httpd_sys_script_rw_t httpd_sys_content_ra_t
.EE .EE
- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. - Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
.EX
httpd_sys_script_ra_t
.EE
- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
.EX .EX
httpd_unconfined_script_exec_t httpd_unconfined_script_exec_t
.EE .EE