diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 index cfc51ec..9e19481 100644 --- a/man/man8/ftpd_selinux.8 +++ b/man/man8/ftpd_selinux.8 @@ -1,52 +1,65 @@ -.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation" +.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation" .SH "NAME" -ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon +.PP +ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons. .SH "DESCRIPTION" - -Security-Enhanced Linux secures the ftpd server via flexible mandatory access -control. +.PP +Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control. .SH FILE_CONTEXTS -SELinux requires files to have an extended attribute to define the file type. -Policy governs the access daemons have to these files. -If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool. -.TP -chcon -R -t public_content_t /var/ftp -.TP -If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool. -.TP -chcon -t public_content_rw_t /var/ftp/incoming +.PP +SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files. .TP -You must also turn on the boolean allow_ftpd_anon_write. +Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type. +.PP +.B +semanage fcontext -a -t public_content_t "/var/ftp(/.*)?" .TP -setsebool -P allow_ftpd_anon_write=1 +.B +restorecon -R -v /var/ftp .TP -If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. +Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?" .TP -/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local -.br -/var/ftp(/.*)? system_u:object_r:public_content_t -/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t +.B +restorecon -R -v /var/ftp/incoming .SH BOOLEANS -SELinux ftp daemon policy is customizable based on least access required. So by -default SElinux does not allow users to login and read their home directories. -.br -If you are setting up this machine as a ftpd server and wish to allow users to access their home -directorories, you need to set the ftp_home_dir boolean. +.PP +SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool. .TP -setsebool -P ftp_home_dir 1 +Allow ftp servers to read and write files with the public_content_rw_t file type. +.PP +.B +setsebool -P allow_ftpd_anon_write on .TP -ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean. +Allow ftp servers to read or write files in the user home directories. +.PP +.B +setsebool -P ftp_home_dir on .TP -setsebool -P ftpd_is_daemon 1 -.br -service vsftpd restart +Allow ftp servers to read or write all files on the system. +.PP +.B +setsebool -P allow_ftpd_full_access on +.TP +Allow ftp servers to use cifs for public file transfer services. +.PP +.B +setsebool -P allow_ftpd_use_cifs on +.TP +Allow ftp servers to use nfs for public file transfer services. +.PP +.B +setsebool -P allow_ftpd_use_nfs on .TP system-config-selinux is a GUI tool available to customize SELinux policy settings. .SH AUTHOR +.PP This manual page was written by Dan Walsh . .SH "SEE ALSO" -selinux(8), ftpd(8), chcon(1), setsebool(8) - +.PP +selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 index 8e06a31..31aadb2 100644 --- a/man/man8/httpd_selinux.8 +++ b/man/man8/httpd_selinux.8 @@ -22,23 +22,19 @@ The following file contexts types are defined for httpd: .EX httpd_sys_content_t .EE -- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon. +- Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon. .EX httpd_sys_script_exec_t .EE - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. .EX -httpd_sys_script_ro_t +httpd_sys_content_rw_t .EE -- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access. +- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. .EX -httpd_sys_script_rw_t +httpd_sys_content_ra_t .EE -- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. -.EX -httpd_sys_script_ra_t -.EE -- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. +- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. .EX httpd_unconfined_script_exec_t .EE