1 |
Currently I'm setting up a machine that uses NIS for authentication, nfs |
2 |
for shared home directories, and ssh for remote access. |
3 |
|
4 |
In the process I have created a context for ypbind. However there are a |
5 |
few rules that I had to add that I'm not sure where they fit, or if some |
6 |
modification needs to be done to other parts of the policy. |
7 |
|
8 |
|
9 |
First off, when using yp the bash_profile cannot set the prompt |
10 |
correctly becuase it doesn't have access to the var_yp_t:dir and file. |
11 |
The prompt looks like this |
12 |
|
13 |
I have no name!@p12 ihde $ |
14 |
|
15 |
If I add |
16 |
allow { user_t } var_yp_t:dir { search }; |
17 |
allow { user_t } var_yp_t:file { read }; |
18 |
|
19 |
the prompt looks correct. I think this might be too loose, but I cannot |
20 |
figure out how else to accomplish this without because the offending |
21 |
process is /bin/bash. |
22 |
|
23 |
As a side note, the same problem exists with whoami (which is also |
24 |
called in bash_profile). For this I created an fc and te for whoami so |
25 |
it can access the var_yp stuff. Is this a good idea? |
26 |
|
27 |
Secondly, for ssh to recognize the NIS users I had to add |
28 |
|
29 |
allow { sshd_t } var_yp_t:dir { search }; |
30 |
allow { sshd_t } var_yp_t:file { read }; |
31 |
|
32 |
|
33 |
On to NFS, mount needed |
34 |
allow { mount_t } resolv_conf_t:file { read getattr }; |
35 |
allow { mount_t } mount_t:tcp_socket { write read }; |
36 |
|
37 |
I could probably get by without resolv_conf_t:file if I used an IP |
38 |
address in fstab as opposed to the hostname. |
39 |
|
40 |
Right now all the nfs files and directories and labeled (null). And a |
41 |
relabel does not change this. Because of this they seem to all be in |
42 |
the context nfs_t:dir and nfs_t:file. I don't want to give users full |
43 |
access to nfs_t. How can I label these nfs file systems appropriatly |
44 |
(btw...I believe they are ext2). |
45 |
|
46 |
Thanks for any help and all useful comments. |
47 |
|
48 |
~Michael |