[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A confined sftp user

On 02/08/2012 03:10 PM, Dominick Grift wrote:

On Wed, 2012-02-08 at 14:15 +0000, Miroslav Grepl wrote:


What OS?

We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
users in their home directories and then after sftp on a machine, a
user will run in the "chroot_user_t" domain.

This domain has these accesses by default

userdom_read_user_home_content_files(chroot_user_t)
userdom_read_inherited_user_home_content_files(chroot_user_t)
userdom_read_user_home_content_symlinks(chroot_user_t)
userdom_exec_user_home_content_files(chroot_user_t

and the "ssh_chroot_rw_homedirs" boolean.


You might want to write a blog about how this is supposed to work and
how chroot_user_t differs from sftpd_t.
Yes, you read my mind. I have it on my TODO list. Basically, there is no longer sftpd_t. There is just chroot_user_t for "Chroot" option and userdomain context for internal-sftp subsystem without chroot. 



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux
Google
  Web www.spinics.net