📄 lids-faq-7.html
字号:
/sbin/lidsadm -A -s /usr/local/bin/multilog \ -o /var/dnscache/dnscache/log/main -j WRITE# tinydns#/bin/echo "tinydns"/sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/tinydns/supervise -j WRITE/sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/tinydns/log/supervise -j WRITE/sbin/lidsadm -A -s /usr/local/bin/multilog \ -o /var/dnscache/tinydns/log/main -j WRITE</PRE><P><H2><A NAME="courier-imap-config"></A> <A NAME="ss7.5">7.5 Courier-imap</A></H2><P>The following ACLs assume courier-imap was installed into <CODE>/usr/local/courier-imap</CODE>. With this configuration, courier-imap must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 143.<P><PRE>/sbin/lidsadm -A -o /usr/local/courier-imap -j DENY/sbin/lidsadm -A -s /usr/local/courier-imap/sbin/imaplogin \ -o /etc/shadow -j READ/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/authlib/authpam \ -o /etc/shadow -j READ/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o /usr/local/courier-imap -j READ/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_SETUID -i 3 -j GRANT/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_SETGID -i 3 -j GRANT/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_DAC_OVERRIDE -i 3 -j GRANT/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_DAC_READ_SEARCH -i 3 -j GRANT</PRE><P><H2><A NAME="mysql-config"></A> <A NAME="ss7.6">7.6 MySQL</A></H2><P>The following ACLs assume MySQL was installed into <CODE>/usr/local/mysql</CODE>. <PRE>/sbin/lidsadm -A -o /usr/local/mysql/var -j APPEND/sbin/lidsadm -A -o /usr/local/mysql -j DENY/sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \ -o /usr/local/mysql -j READ/sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \ -o /usr/local/mysql/var -j WRITE</PRE><P><H2><A NAME="openssh-config"></A> <A NAME="ss7.7">7.7 OpenSSH</A></H2><P>The following configuration will work after boot and while LIDS_GLOBAL is on because it gives sshd the CAP_NET_BIND_SERVICE capability.<PRE>/sbin/lidsadm -A -s /usr/sbin/sshd -o /etc/shadow -j READ/sbin/lidsadm -A -o /etc/ssh/sshd_config -j DENY/sbin/lidsadm -A -o /etc/ssh/ssh_host_key -j DENY/sbin/lidsadm -A -o /etc/ssh/ssh_host_dsa_key -j DENY/sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/sshd_config -j READ/sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/ssh_host_key -j READ/sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/ssh_host_dsa_key -j READ/sbin/lidsadm -A -s /usr/sbin/sshd \ -o /var/log/wtmp -j WRITE/sbin/lidsadm -A -s /usr/sbin/sshd \ -o /var/log/lastlog -j WRITE/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_SETUID -j GRANT/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_SETGID -j GRANT/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_FOWNER -j GRANT/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_CHOWN -j GRANT/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_DAC_OVERRIDE -j GRANT/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_NET_BIND_SERVICE -j GRANT</PRE><P><H2><A NAME="openldap-config"></A> <A NAME="ss7.8">7.8 OpenLDAP (slapd)</A></H2><P>The following configuration will work after boot and while LIDS_GLOBAL is on because it gives slapd the CAP_NET_BIND_SERVICE capability.<PRE>/sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o /usr/local/ldapdb -j WRITE/sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_NET_BIND_SERVICE -j GRANT/sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_INIT_KILL -j GRANT/sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_SYS_MODULE -j GRANT</PRE><P><H2><A NAME="portsentry-config"></A> <A NAME="ss7.9">7.9 Port Sentry</A></H2><P>The following configuration will work after boot and while LIDS_GLOBAL is on because it gives portsentry the CAP_NET_BIND_SERVICE capability. Depending on what you want portsentry to do, you may or may not need all of the following ACLs.<PRE>/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o /usr/local/psionic/portsentry -j WRITE/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o /var/log -j WRITE/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o CAP_NET_BIND_SERVICE -j GRANT# For portsentry to be able to update the firewall:/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o CAP_NET_RAW -i 1 -j GRANT# For portsentry to be able to update /etc/hosts.allow and/or /etc/hosts.deny:/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o /etc/hosts.allow -j WRITE/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o /etc/hosts.deny -j WRITE</PRE><P><H2><A NAME="samba-config"></A> <A NAME="ss7.10">7.10 Samba</A></H2><P>With this configuration, Samba must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to ports 137 & 139.<P><PRE>/sbin/lidsadm -A -o /etc/samba -j READ/sbin/lidsadm -A -o /var/samba -j READ/sbin/lidsadm -A -s /usr/sbin/smbd -o /var/samba -j WRITE/sbin/lidsadm -A -s /usr/sbin/nmbd -o /var/samba -j WRITE# smbd needs write access to smbpasswd to chmod it. i think it# also needs access to MACHINE.SID/sbin/lidsadm -A -s /usr/sbin/smbd -o /etc/samba -j WRITE/sbin/lidsadm -A -s /usr/sbin/smbd -o /etc/shadow -j READ/sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_SETUID -j GRANT/sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_SETGID -j GRANT/sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_HIDDEN -j GRANT# LIDS complains about smbd trying to chroot to /# everything still seems to work without it, though# (and isn't chrooting to / kinda pointless anyway?)#/sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_SYS_CHROOT -j GRANT/sbin/lidsadm -A -s /usr/sbin/nmbd -o CAP_HIDDEN -j GRANT</PRE><P><H2><A NAME="heartbeat-config"></A> <A NAME="ss7.11">7.11 Linux HA heartbeat</A></H2><P><PRE>/sbin/lidsadm -A -o /usr/lib/heartbeat/heartbeat -j READ/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_NET_BIND_SERVICE -i -1 -j GRANT/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_SYS_RAWIO -i -1 -j GRANT/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_NET_BROADCAST -i -1 -j GRANT/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_NET_ADMIN -i -1 -j GRANT/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_NET_RAW -i -1 -j GRANT/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_SYS_ADMIN -i -1 -j GRANT# For sending Gratuitous Arps/sbin/lidsadm -A -o /usr/lib/heartbeat/send_arp -j READ/sbin/lidsadm -A -s /usr/lib/heartbeat/send_arp \ -o CAP_NET_RAW -i -1 -j GRANT# For modifying the routing table when the IP address changes/sbin/lidsadm -A -o /sbin/route -j READ/sbin/lidsadm -A -s /sbin/route -o CAP_NET_ADMIN -i 0 -j GRANT## Protect the heartbeat configuration and authentication key.#/sbin/lidsadm -A -o /etc/ha.d/ha.cf -j READ/sbin/lidsadm -A -o /etc/ha.d/haresources -j READ/sbin/lidsadm -A -o /etc/ha.d/authkeys -j DENY## Only heartbeat can see the authkey#/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o /etc/ha.d/authkeys -j READ</PRE><P><P><P><P><P><HR><A HREF="LIDS-FAQ-8.html">Next</A><A HREF="LIDS-FAQ-6.html">Previous</A><A HREF="LIDS-FAQ.html#toc7">Contents</A></BODY></HTML>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -