| 1 |
Currently I'm setting up a machine that uses NIS for authentication, nfs |
| 2 |
for shared home directories, and ssh for remote access. |
| 3 |
|
| 4 |
In the process I have created a context for ypbind. However there are a |
| 5 |
few rules that I had to add that I'm not sure where they fit, or if some |
| 6 |
modification needs to be done to other parts of the policy. |
| 7 |
|
| 8 |
|
| 9 |
First off, when using yp the bash_profile cannot set the prompt |
| 10 |
correctly becuase it doesn't have access to the var_yp_t:dir and file. |
| 11 |
The prompt looks like this |
| 12 |
|
| 13 |
I have no name!@p12 ihde $ |
| 14 |
|
| 15 |
If I add |
| 16 |
allow { user_t } var_yp_t:dir { search }; |
| 17 |
allow { user_t } var_yp_t:file { read }; |
| 18 |
|
| 19 |
the prompt looks correct. I think this might be too loose, but I cannot |
| 20 |
figure out how else to accomplish this without because the offending |
| 21 |
process is /bin/bash. |
| 22 |
|
| 23 |
As a side note, the same problem exists with whoami (which is also |
| 24 |
called in bash_profile). For this I created an fc and te for whoami so |
| 25 |
it can access the var_yp stuff. Is this a good idea? |
| 26 |
|
| 27 |
Secondly, for ssh to recognize the NIS users I had to add |
| 28 |
|
| 29 |
allow { sshd_t } var_yp_t:dir { search }; |
| 30 |
allow { sshd_t } var_yp_t:file { read }; |
| 31 |
|
| 32 |
|
| 33 |
On to NFS, mount needed |
| 34 |
allow { mount_t } resolv_conf_t:file { read getattr }; |
| 35 |
allow { mount_t } mount_t:tcp_socket { write read }; |
| 36 |
|
| 37 |
I could probably get by without resolv_conf_t:file if I used an IP |
| 38 |
address in fstab as opposed to the hostname. |
| 39 |
|
| 40 |
Right now all the nfs files and directories and labeled (null). And a |
| 41 |
relabel does not change this. Because of this they seem to all be in |
| 42 |
the context nfs_t:dir and nfs_t:file. I don't want to give users full |
| 43 |
access to nfs_t. How can I label these nfs file systems appropriatly |
| 44 |
(btw...I believe they are ext2). |
| 45 |
|
| 46 |
Thanks for any help and all useful comments. |
| 47 |
|
| 48 |
~Michael |
Archives