andersk / test.git / blame
| Commit | Line | Data |
|---|---|---|
| 09c5d6e3 MG |
1 | When running in SELinux mode on Fedora, some operations don't work out of the |
| 2 | box. | |
| 3 | ||
| 4 | Until somebody contributes a complete SELinux policy for ShellInABox, here are | |
| 5 | some tips on getting things working: | |
| 6 | ||
| 7 | - avoid using the default "LOGIN" service. Calling /bin/login does not do | |
| 8 | the right thing. | |
| 9 | The "LOGIN" service is the default service when running "shellinaboxd" as | |
| 10 | "root". This means, you will most likely see all logins failing, whenever | |
| 11 | you start the daemon as "root". | |
| 12 | To fix this problem, consider explicitly specifying a service definition. | |
| 13 | One of these two should work: | |
| 2eb60237 | 14 | --service /:AUTH:HOME:SHELL |
| 09c5d6e3 MG |
15 | or |
| 16 | --service /:SSH | |
| 17 | The latter requires that you have a locally running "sshd" daemon. | |
| 18 | ||
| 2eb60237 MG |
19 | - Alternatively, consider running "./configure --disable-login" before building |
| 20 | the daemon. This will completely remove support for the "LOGIN" service, and | |
| 21 | shellinaboxd will instead use a default "SSH" service for both unprivileged | |
| 22 | and for "root" users. | |
| 23 | ||
| 09c5d6e3 MG |
24 | - On Fedora, PAM authentication does not work for shellinabox until you |
| 25 | explicitly configure it. This means, using "AUTH" in the service definition | |
| 26 | will not allow you to log in. | |
| 27 | You can fix this by defining a proper "/etc/pam.d/shellinabox" file. Take a | |
| 28 | look at "etc-pam.d-shellinabox-example" for a working example. | |
| 29 | Make sure you assign the correct SELinux labels to this file when copying | |
| 30 | it into "/etc/pam.d": | |
| 31 | cp -Z system_u:object_r:etc_t:s0 etc-pam.d-shellinabox-example /etc/pam.d/ | |
| 32 |