diff options
author | Chris PeBenito <cpebenito@tresys.com> | 2009-03-05 13:58:31 +0000 |
---|---|---|
committer | Chris PeBenito <cpebenito@tresys.com> | 2009-03-05 13:58:31 +0000 |
commit | 60c395bd55b925b64ac03ce146b3c12859966040 (patch) | |
tree | 4ada6a52db2d513bb97291ce69867dd17ddfb869 /man | |
parent | c45fdad85b8b63b23e5d20c5059b165930599e59 (diff) |
trunk: man page fixes from dan.
Diffstat (limited to 'man')
-rw-r--r-- | man/man8/httpd_selinux.8 | 4 | ||||
-rw-r--r-- | man/man8/kerberos_selinux.8 | 2 | ||||
-rw-r--r-- | man/man8/nfs_selinux.8 | 15 | ||||
-rw-r--r-- | man/man8/samba_selinux.8 | 12 |
4 files changed, 20 insertions, 13 deletions
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 index 31aadb20..3d85afdd 100644 --- a/man/man8/httpd_selinux.8 +++ b/man/man8/httpd_selinux.8 @@ -41,7 +41,7 @@ httpd_unconfined_script_exec_t - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. .SH NOTE -With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. +With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. .SH SHARING FILES If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: @@ -75,7 +75,7 @@ chcon -R -t httpd_sys_content_t ~user/public_html .EE .PP -httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. +httpd by default is not allowed access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. .EX setsebool -P httpd_tty_comm 1 diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8 index 8d299ed4..a7bb0f7f 100644 --- a/man/man8/kerberos_selinux.8 +++ b/man/man8/kerberos_selinux.8 @@ -12,7 +12,7 @@ kerberos_selinux \- Security Enhanced Linux Policy for Kerberos. .SH "DESCRIPTION" Security-Enhanced Linux secures the system via flexible mandatory access -control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network. +control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. .SH BOOLEANS .PP You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8 index 0065b4a4..91501d91 100644 --- a/man/man8/nfs_selinux.8 +++ b/man/man8/nfs_selinux.8 @@ -1,14 +1,12 @@ -.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation" +.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation" .SH "NAME" nfs_selinux \- Security Enhanced Linux Policy for NFS .SH "DESCRIPTION" -Security-Enhanced Linux secures the nfs server via flexible mandatory access +Security Enhanced Linux secures the NFS server via flexible mandatory access control. .SH BOOLEANS -SELinux policy is customizable based on least access required. So by -default SElinux policy does not allow nfs to share files. If you want to -setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean. +SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on: .TP setsebool -P nfs_export_all_ro 1 @@ -18,7 +16,10 @@ If you want to share files read/write you must set the nfs_export_all_rw boolean setsebool -P nfs_export_all_rw 1 .TP -If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean. +These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off. + +.TP +If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean: .TP setsebool -P use_nfs_home_dirs 1 .TP @@ -26,5 +27,5 @@ system-config-selinux is a GUI tool available to customize SELinux policy settin .SH AUTHOR This manual page was written by Dan Walsh <dwalsh@redhat.com>. -.SH "SEE ALSpppO" +.SH "SEE ALSO" selinux(8), chcon(1), setsebool(8) diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8 index 42e56eca..3357afc1 100644 --- a/man/man8/samba_selinux.8 +++ b/man/man8/samba_selinux.8 @@ -14,11 +14,17 @@ would need to label the directory with the chcon tool. .TP chcon -t samba_share_t /var/eng .TP -If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. +To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration: +.TP +semanage fcontext -a -t samba_share_t "/var/eng(/.*)?" +.TP +This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: .TP -/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local -.br /var/eng(/.*)? system_u:object_r:samba_share_t +.TP +Run the restorecon command to apply the changes: +.TP +restorecon -R -v /var/eng/ .SH SHARING FILES If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute: |