We are working on a management tool that attempts to setup
mod-auth-shadow to work on RedHat 5.1 with SELinux in enforcing mode.
Based on the following excerpt from the httpd_selinux man page:
"If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and
public_content_rw_t. These context allow any of the above domains to
read the content. If you want a particular domain to write to the
public_content_rw_t domain, you must set the appropriate boolean.
allow_DOMAIN_anon_write. So for httpd you would execute:
setsebool -P allow_httpd_anon_write=1
or
setsebool -P allow_httpd_sys_script_anon_write=1"
we have set the file context of /etc/shadow to public_content_t. The
file permissions remain unchanged, only root can read the file.
[EMAIL PROTECTED] ~]# ls -alZ /etc/shadow
-r-------- root root root:object_r:public_content_t /etc/shadow
This almost works correctly:
1) mod-auth-shadow works correctly
2) can manage users via command line tools (useradd/usermod/userdel etc.)
3) system-config-users can manage users
4) my management tool can manage users
I have some problems with this setup however:
1) I'm not sure of all the implications of changing the file context of
/etc/shadow to public_content_t. Basically I'm getting confused as to
how someone or some process gets write permissions to the file.
2) An rpm that attempts to add a user in a pre/post install script fails
to add the user. useradd is denied write access to /etc/shadow.
3) I get a lot of the following SELinux alerts:
SELinux is preventing /sbin/unix_update (updpwd_t) "read" to shadow
(public_content_t).
4) I also suspect the following scenario will fail, but I haven't
verified it yet:
a) install an rpm that adds a user
b) set the file context file context of /etc/shadow to public_content_t
c) remove the previously installed rpm,
I suspect a userdel in a postun script will fail with a write denial for
/etc/shadow.
Do I have to set the file context of /etc/shadow to public_content_rw_t,
and set a boolean to allow anonymous writes? There doesn't seem to be
any such boolean for rpm.
Scott
_______________________________________________
rhelv5-list mailing list
rhelv5-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv5-list
