trunk: man page updates from dan.
This commit is contained in:
parent
770c015f88
commit
b4f23e680a
@ -1,52 +1,65 @@
|
|||||||
.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
|
.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation"
|
||||||
.SH "NAME"
|
.SH "NAME"
|
||||||
ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon
|
.PP
|
||||||
|
ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
|
||||||
.SH "DESCRIPTION"
|
.SH "DESCRIPTION"
|
||||||
|
.PP
|
||||||
Security-Enhanced Linux secures the ftpd server via flexible mandatory access
|
Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
|
||||||
control.
|
|
||||||
.SH FILE_CONTEXTS
|
.SH FILE_CONTEXTS
|
||||||
SELinux requires files to have an extended attribute to define the file type.
|
.PP
|
||||||
Policy governs the access daemons have to these files.
|
SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files.
|
||||||
If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool.
|
|
||||||
.TP
|
.TP
|
||||||
chcon -R -t public_content_t /var/ftp
|
Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
|
||||||
|
.PP
|
||||||
|
.B
|
||||||
|
semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
|
||||||
.TP
|
.TP
|
||||||
If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
|
.B
|
||||||
|
restorecon -R -v /var/ftp
|
||||||
.TP
|
.TP
|
||||||
chcon -t public_content_rw_t /var/ftp/incoming
|
Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
|
||||||
|
.PP
|
||||||
|
.B
|
||||||
|
semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
|
||||||
.TP
|
.TP
|
||||||
You must also turn on the boolean allow_ftpd_anon_write.
|
.B
|
||||||
.TP
|
restorecon -R -v /var/ftp/incoming
|
||||||
setsebool -P allow_ftpd_anon_write=1
|
|
||||||
.TP
|
|
||||||
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
|
|
||||||
.TP
|
|
||||||
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
|
|
||||||
.br
|
|
||||||
/var/ftp(/.*)? system_u:object_r:public_content_t
|
|
||||||
/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
|
|
||||||
|
|
||||||
.SH BOOLEANS
|
.SH BOOLEANS
|
||||||
SELinux ftp daemon policy is customizable based on least access required. So by
|
.PP
|
||||||
default SElinux does not allow users to login and read their home directories.
|
SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
|
||||||
.br
|
|
||||||
If you are setting up this machine as a ftpd server and wish to allow users to access their home
|
|
||||||
directorories, you need to set the ftp_home_dir boolean.
|
|
||||||
.TP
|
.TP
|
||||||
setsebool -P ftp_home_dir 1
|
Allow ftp servers to read and write files with the public_content_rw_t file type.
|
||||||
|
.PP
|
||||||
|
.B
|
||||||
|
setsebool -P allow_ftpd_anon_write on
|
||||||
.TP
|
.TP
|
||||||
ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean.
|
Allow ftp servers to read or write files in the user home directories.
|
||||||
|
.PP
|
||||||
|
.B
|
||||||
|
setsebool -P ftp_home_dir on
|
||||||
.TP
|
.TP
|
||||||
setsebool -P ftpd_is_daemon 1
|
Allow ftp servers to read or write all files on the system.
|
||||||
.br
|
.PP
|
||||||
service vsftpd restart
|
.B
|
||||||
|
setsebool -P allow_ftpd_full_access on
|
||||||
|
.TP
|
||||||
|
Allow ftp servers to use cifs for public file transfer services.
|
||||||
|
.PP
|
||||||
|
.B
|
||||||
|
setsebool -P allow_ftpd_use_cifs on
|
||||||
|
.TP
|
||||||
|
Allow ftp servers to use nfs for public file transfer services.
|
||||||
|
.PP
|
||||||
|
.B
|
||||||
|
setsebool -P allow_ftpd_use_nfs on
|
||||||
.TP
|
.TP
|
||||||
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
||||||
.SH AUTHOR
|
.SH AUTHOR
|
||||||
|
.PP
|
||||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||||
|
|
||||||
.SH "SEE ALSO"
|
.SH "SEE ALSO"
|
||||||
selinux(8), ftpd(8), chcon(1), setsebool(8)
|
.PP
|
||||||
|
|
||||||
|
|
||||||
|
selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
|
||||||
|
@ -22,23 +22,19 @@ The following file contexts types are defined for httpd:
|
|||||||
.EX
|
.EX
|
||||||
httpd_sys_content_t
|
httpd_sys_content_t
|
||||||
.EE
|
.EE
|
||||||
- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.
|
- Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon.
|
||||||
.EX
|
.EX
|
||||||
httpd_sys_script_exec_t
|
httpd_sys_script_exec_t
|
||||||
.EE
|
.EE
|
||||||
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
|
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
|
||||||
.EX
|
.EX
|
||||||
httpd_sys_script_ro_t
|
httpd_sys_content_rw_t
|
||||||
.EE
|
.EE
|
||||||
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access.
|
- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
|
||||||
.EX
|
.EX
|
||||||
httpd_sys_script_rw_t
|
httpd_sys_content_ra_t
|
||||||
.EE
|
.EE
|
||||||
- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
|
- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
|
||||||
.EX
|
|
||||||
httpd_sys_script_ra_t
|
|
||||||
.EE
|
|
||||||
- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
|
|
||||||
.EX
|
.EX
|
||||||
httpd_unconfined_script_exec_t
|
httpd_unconfined_script_exec_t
|
||||||
.EE
|
.EE
|
||||||
|
Loading…
Reference in New Issue
Block a user