1
|
When running in SELinux mode on Fedora, some operations don't work out of the
|
2
|
box.
|
3
|
|
4
|
Until somebody contributes a complete SELinux policy for ShellInABox, here are
|
5
|
some tips on getting things working:
|
6
|
|
7
|
- avoid using the default "LOGIN" service. Calling /bin/login does not do
|
8
|
the right thing.
|
9
|
The "LOGIN" service is the default service when running "shellinaboxd" as
|
10
|
"root". This means, you will most likely see all logins failing, whenever
|
11
|
you start the daemon as "root".
|
12
|
To fix this problem, consider explicitly specifying a service definition.
|
13
|
One of these two should work:
|
14
|
--service /:AUTH:HOME:SHELL
|
15
|
or
|
16
|
--service /:SSH
|
17
|
The latter requires that you have a locally running "sshd" daemon.
|
18
|
|
19
|
- Alternatively, consider running "./configure --disable-login" before building
|
20
|
the daemon. This will completely remove support for the "LOGIN" service, and
|
21
|
shellinaboxd will instead use a default "SSH" service for both unprivileged
|
22
|
and for "root" users.
|
23
|
|
24
|
- On Fedora, PAM authentication does not work for shellinabox until you
|
25
|
explicitly configure it. This means, using "AUTH" in the service definition
|
26
|
will not allow you to log in.
|
27
|
You can fix this by defining a proper "/etc/pam.d/shellinabox" file. Take a
|
28
|
look at "etc-pam.d-shellinabox-example" for a working example.
|
29
|
Make sure you assign the correct SELinux labels to this file when copying
|
30
|
it into "/etc/pam.d":
|
31
|
cp -Z system_u:object_r:etc_t:s0 etc-pam.d-shellinabox-example /etc/pam.d/
|
32
|
|