From 6d24baa18223f0babfed2c8890381fb54cdcd6e9 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sat, 10 Sep 2016 15:17:40 +0200 Subject: [PATCH] 5.5 --- lam-packaging/debian/changelog | 4 +- lam/HISTORY | 2 +- lam/VERSION | 2 +- lam/docs/manual-sources/howto.xml | 79 ++++++++++++++++++++++++++++++- 4 files changed, 82 insertions(+), 5 deletions(-) diff --git a/lam-packaging/debian/changelog b/lam-packaging/debian/changelog index 2ce3fe0f..20d47289 100644 --- a/lam-packaging/debian/changelog +++ b/lam-packaging/debian/changelog @@ -1,8 +1,8 @@ -ldap-account-manager (5.5.RC1-1) unstable; urgency=medium +ldap-account-manager (5.5-1) unstable; urgency=medium * new upstream release - -- Roland Gruber Sat, 27 Aug 2016 14:23:35 +0200 + -- Roland Gruber Sat, 10 Sep 2016 14:23:35 +0200 ldap-account-manager (5.4-1) unstable; urgency=medium diff --git a/lam/HISTORY b/lam/HISTORY index dff6a343..240a105a 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -1,4 +1,4 @@ -September 2016 +10.09.2016 5.5 - Windows: allow to show effective members of a group - Lamdaemon: support SSH key authentication - LAM Pro: diff --git a/lam/VERSION b/lam/VERSION index d8eb2ed3..9ad974f6 100644 --- a/lam/VERSION +++ b/lam/VERSION @@ -1 +1 @@ -5.5.RC1 +5.5 diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml index cf316d21..cf2d26d9 100644 --- a/lam/docs/manual-sources/howto.xml +++ b/lam/docs/manual-sources/howto.xml @@ -490,7 +490,8 @@ Have fun! session file. Please note that LAM does not ship with a selinux policy. Please - disable selinux or create your own policy. + disable selinux or create your own + policy. See LDAP schema fles for information about used LDAP schema files. @@ -10444,6 +10445,82 @@ OK (10 msec) +
+ Selinux + + In case your server has selinux installed you might need to extend + the selinux ruleset. E.g. your webserver might not be allowed to write + in /var/lib. + + Read selinux status + + The following command will tell you if selinux is running in + Enforcing or Permissive mode. + + Enforcing: access that does not match rules is denied + + Permissive: access that does not match rules is granted but logged + to audit.log + + getenforce + + Set selinux to Permissive + mode + + This will just log any access violations. You will need this to + get a list of missing rights. + + setenforce Permissive + + Now do any actions inside LAM that you need for your daily work + (e.g. edit server profiles, manage LDAP entries, ...). + + Extend selinux rules + + Selinux now has logged any violations to audit.log. You can use + this now to extend your ruleset and enable enforcing later. + + The following example is for httpd. You can also adapt it to e.g. + nginx. + + # build additional selinux rules from audit.log +grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te + + + The httpdlocal.te might look like this: + + module httpdlocal 1.0; + +require { + type httpd_t; + type var_lib_t; + class file { setattr write }; +} + +#============= httpd_t ============== + +#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t. +#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf +#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf +allow httpd_t var_lib_t:file { setattr write }; + + + Now we can compile and install this rule: + + # build module +checkmodule -M -m -o httpdlocal.mod httpdlocal.te +# package module +semodule_package -o httpdlocal.pp -m httpdlocal.mod +# install module +semodule -i httpdlocal.pp + + Now you can switch back to Enforcing mode: + + setenforce Enforcing + + LAM should now work as expected with active selinux. +
+
Chrooted servers