This commit is contained in:
Roland Gruber 2016-09-10 15:17:40 +02:00
parent bff8c8dfad
commit 6d24baa182
4 changed files with 82 additions and 5 deletions

View File

@ -1,8 +1,8 @@
ldap-account-manager (5.5.RC1-1) unstable; urgency=medium ldap-account-manager (5.5-1) unstable; urgency=medium
* new upstream release * new upstream release
-- Roland Gruber <post@rolandgruber.de> Sat, 27 Aug 2016 14:23:35 +0200 -- Roland Gruber <post@rolandgruber.de> Sat, 10 Sep 2016 14:23:35 +0200
ldap-account-manager (5.4-1) unstable; urgency=medium ldap-account-manager (5.4-1) unstable; urgency=medium

View File

@ -1,4 +1,4 @@
September 2016 10.09.2016 5.5
- Windows: allow to show effective members of a group - Windows: allow to show effective members of a group
- Lamdaemon: support SSH key authentication - Lamdaemon: support SSH key authentication
- LAM Pro: - LAM Pro:

View File

@ -1 +1 @@
5.5.RC1 5.5

View File

@ -490,7 +490,8 @@ Have fun!
session file.</para> session file.</para>
<para>Please note that LAM does not ship with a selinux policy. Please <para>Please note that LAM does not ship with a selinux policy. Please
disable selinux or create your own policy.</para> disable selinux or <link linkend="selinux">create your own
policy</link>.</para>
<para>See <link linkend="a_schema">LDAP schema fles</link> for <para>See <link linkend="a_schema">LDAP schema fles</link> for
information about used LDAP schema files.</para> information about used LDAP schema files.</para>
@ -10444,6 +10445,82 @@ OK (10 msec)</programlisting>
</section> </section>
</section> </section>
<section id="selinux">
<title>Selinux</title>
<para>In case your server has selinux installed you might need to extend
the selinux ruleset. E.g. your webserver might not be allowed to write
in /var/lib.</para>
<para><emphasis role="bold">Read selinux status</emphasis></para>
<para>The following command will tell you if selinux is running in
Enforcing or Permissive mode.</para>
<para>Enforcing: access that does not match rules is denied</para>
<para>Permissive: access that does not match rules is granted but logged
to audit.log</para>
<programlisting>getenforce</programlisting>
<para><emphasis role="bold">Set selinux to Permissive
mode</emphasis></para>
<para>This will just log any access violations. You will need this to
get a list of missing rights.</para>
<programlisting>setenforce Permissive</programlisting>
<para>Now do any actions inside LAM that you need for your daily work
(e.g. edit server profiles, manage LDAP entries, ...).</para>
<para><emphasis role="bold">Extend selinux rules</emphasis></para>
<para>Selinux now has logged any violations to audit.log. You can use
this now to extend your ruleset and enable enforcing later.</para>
<para>The following example is for httpd. You can also adapt it to e.g.
nginx.</para>
<programlisting># build additional selinux rules from audit.log
grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te
</programlisting>
<para>The httpdlocal.te might look like this:</para>
<programlisting>module httpdlocal 1.0;
require {
type httpd_t;
type var_lib_t;
class file { setattr write };
}
#============= httpd_t ==============
#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t.
#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
allow httpd_t var_lib_t:file { setattr write };
</programlisting>
<para>Now we can compile and install this rule:</para>
<programlisting># build module
checkmodule -M -m -o httpdlocal.mod httpdlocal.te
# package module
semodule_package -o httpdlocal.pp -m httpdlocal.mod
# install module
semodule -i httpdlocal.pp</programlisting>
<para>Now you can switch back to Enforcing mode:</para>
<programlisting>setenforce Enforcing</programlisting>
<para>LAM should now work as expected with active selinux.</para>
</section>
<section> <section>
<title>Chrooted servers</title> <title>Chrooted servers</title>