A confined sftp user
Miroslav Grepl
mgrepl at redhat.com
Wed Feb 8 17:35:25 UTC 2012
On 02/08/2012 03:10 PM, Dominick Grift wrote:
> On Wed, 2012-02-08 at 14:15 +0000, Miroslav Grepl wrote:
>
>> What OS?
>>
>> We have sftp+chroot+SELinux in Fedora16/17/RHEL6.2. You could chroot
>> users in their home directories and then after sftp on a machine, a
>> user will run in the "chroot_user_t" domain.
>>
>> This domain has these accesses by default
>>
>> userdom_read_user_home_content_files(chroot_user_t)
>> userdom_read_inherited_user_home_content_files(chroot_user_t)
>> userdom_read_user_home_content_symlinks(chroot_user_t)
>> userdom_exec_user_home_content_files(chroot_user_t
>>
>> and the "ssh_chroot_rw_homedirs" boolean.
>>
> You might want to write a blog about how this is supposed to work and
> how chroot_user_t differs from sftpd_t.
Yes, you read my mind. I have it on my TODO list. Basically, there is no
longer sftpd_t. There is just chroot_user_t for "Chroot" option and
userdomain context for internal-sftp subsystem without chroot.
>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list