31 lines
1.4 KiB
Text
31 lines
1.4 KiB
Text
When running in SELinux mode on Fedora, some operations don't work out of the
|
|
box.
|
|
|
|
Until somebody contributes a complete SELinux policy for ShellInABox, here are
|
|
some tips on getting things working:
|
|
|
|
- avoid using the default "LOGIN" service. Calling /bin/login does not do
|
|
the right thing.
|
|
The "LOGIN" service is the default service when running "shellinaboxd" as
|
|
"root". This means, you will most likely see all logins failing, whenever
|
|
you start the daemon as "root".
|
|
To fix this problem, consider explicitly specifying a service definition.
|
|
One of these two should work:
|
|
--service /:AUTH:HOME:SHELL
|
|
or
|
|
--service /:SSH
|
|
The latter requires that you have a locally running "sshd" daemon.
|
|
|
|
- Alternatively, consider running "./configure --disable-login" before building
|
|
the daemon. This will completely remove support for the "LOGIN" service, and
|
|
shellinaboxd will instead use a default "SSH" service for both unprivileged
|
|
and for "root" users.
|
|
|
|
- On Fedora, PAM authentication does not work for shellinabox until you
|
|
explicitly configure it. This means, using "AUTH" in the service definition
|
|
will not allow you to log in.
|
|
You can fix this by defining a proper "/etc/pam.d/shellinabox" file. Take a
|
|
look at "etc-pam.d-shellinabox-example" for a working example.
|
|
Make sure you assign the correct SELinux labels to this file when copying
|
|
it into "/etc/pam.d":
|
|
cp -Z system_u:object_r:etc_t:s0 etc-pam.d-shellinabox-example /etc/pam.d/
|