]>
Commit | Line | Data |
---|---|---|
09c5d6e3 MG |
1 | When running in SELinux mode on Fedora, some operations don't work out of the |
2 | box. | |
3 | ||
4 | Until somebody contributes a complete SELinux policy for ShellInABox, here are | |
5 | some tips on getting things working: | |
6 | ||
7 | - avoid using the default "LOGIN" service. Calling /bin/login does not do | |
8 | the right thing. | |
9 | The "LOGIN" service is the default service when running "shellinaboxd" as | |
10 | "root". This means, you will most likely see all logins failing, whenever | |
11 | you start the daemon as "root". | |
12 | To fix this problem, consider explicitly specifying a service definition. | |
13 | One of these two should work: | |
2eb60237 | 14 | --service /:AUTH:HOME:SHELL |
09c5d6e3 MG |
15 | or |
16 | --service /:SSH | |
17 | The latter requires that you have a locally running "sshd" daemon. | |
18 | ||
2eb60237 MG |
19 | - Alternatively, consider running "./configure --disable-login" before building |
20 | the daemon. This will completely remove support for the "LOGIN" service, and | |
21 | shellinaboxd will instead use a default "SSH" service for both unprivileged | |
22 | and for "root" users. | |
23 | ||
09c5d6e3 MG |
24 | - On Fedora, PAM authentication does not work for shellinabox until you |
25 | explicitly configure it. This means, using "AUTH" in the service definition | |
26 | will not allow you to log in. | |
27 | You can fix this by defining a proper "/etc/pam.d/shellinabox" file. Take a | |
28 | look at "etc-pam.d-shellinabox-example" for a working example. | |
29 | Make sure you assign the correct SELinux labels to this file when copying | |
30 | it into "/etc/pam.d": | |
31 | cp -Z system_u:object_r:etc_t:s0 etc-pam.d-shellinabox-example /etc/pam.d/ | |
32 |