Proposed additions to the SELinux FAQ

= This is not the formal FAQ. If you have a question and/or answer you would like to appear in the FAQ. Please put it here. And we will try to answer it. =

In Red Hat Enterprise Linux 4, how do I write policy to allow a domain to use pam_unix.so?
Very few domains in the SELinux world are allowed to read the /etc/shadow file. There are constraint rules that prevent policy writers from writing code like. allow mydomain_t shadow_t:file read; In RHEL4 you can setup your domain to use the unix_chkpwd command. The easiest way is to use the unix_chkpwd attribute. So if you were writing policy for an ftpd daemon you would write something like daemon_domain(vsftpd, auth_chkpwd'). This would create a context where vsftpd_t -> chkpwd_exec_t -> system_chkpwd_t which can read /etc/shadow, while vsftpd_t is not able to read it.

In FC5/RHEL5 you will add the rule

auth_domtrans_chk_passwd(vsftpd_t)

How do I make directories available via anonymous ftp ?
gedit /etc/vsftpd/vsftpd.conf add anon_root=/home/my_anonymous_ftp_directory file|save gnome-terminal ls -lZ -d /home/my_anonymous_ftp_directory/ ?? rem: chcon -t public_content_t /home/my_anonymous_ftp_directory/ -R ?? setsebool -P ftp_home_dir=1
 * ) more work required.

How do I configure boot time mounting of iso images so that they can be available for anonymous ftp access ?
By default, selinux-policy-target will block mounting of iso images from /etc/fstab. The following steps are used to mount the iso image with appropriate selinux contexts:

mkdir /home/mounted_disc/ chcon mnt_t /home/mounted_disc/ su -c 'cp /etc/fstab /etc/fstab.before_iso_mount' su -c 'gedit /etc/fstab' /home/my_cd_or_dvd_image.iso /home/mounted_disc/ iso9660 \ _netdev,ro,loop,fscontext=system_u:object_r:public_content_t:s0 0 0 mount /home/my_cd_or_dvd_image.iso reboot mount
 * Create a folder to mount the iso in
 * Set the selinux context for mounting
 * Backup your fstab
 * edit fstab
 * Add a mount command for the iso image:
 * Save and exit gedit
 * Test that the mount line is OK
 * Test that the mount is automatically available after reboot...
 * Now use the previous ftp share config to set up ftp sharing of the mounted iso

Are there any presentations on using SELinux ?
At Colorado Software Summit, Thomas Cameron gave a presentation entitled 'SELinux for Mere Mortals - Or, Don't turn it off', which is [available as a pdf].