andersk / test.git / blame
| Commit | Line | Data |
|---|---|---|
| 09c5d6e3 MG |
1 | When running in SELinux mode on Fedora, some operations don't work out of the |
| 2 | box. | |
| 3 | ||
| 4 | Until somebody contributes a complete SELinux policy for ShellInABox, here are | |
| 5 | some tips on getting things working: | |
| 6 | ||
| 7 | - avoid using the default "LOGIN" service. Calling /bin/login does not do | |
| 8 | the right thing. | |
| 9 | The "LOGIN" service is the default service when running "shellinaboxd" as | |
| 10 | "root". This means, you will most likely see all logins failing, whenever | |
| 11 | you start the daemon as "root". | |
| 12 | To fix this problem, consider explicitly specifying a service definition. | |
| 13 | One of these two should work: | |
| 14 | --service /:AUTH:HOME:/bin/bash | |
| 15 | or | |
| 16 | --service /:SSH | |
| 17 | The latter requires that you have a locally running "sshd" daemon. | |
| 18 | ||
| 19 | - On Fedora, PAM authentication does not work for shellinabox until you | |
| 20 | explicitly configure it. This means, using "AUTH" in the service definition | |
| 21 | will not allow you to log in. | |
| 22 | You can fix this by defining a proper "/etc/pam.d/shellinabox" file. Take a | |
| 23 | look at "etc-pam.d-shellinabox-example" for a working example. | |
| 24 | Make sure you assign the correct SELinux labels to this file when copying | |
| 25 | it into "/etc/pam.d": | |
| 26 | cp -Z system_u:object_r:etc_t:s0 etc-pam.d-shellinabox-example /etc/pam.d/ | |
| 27 |