5.5
This commit is contained in:
		
							parent
							
								
									bff8c8dfad
								
							
						
					
					
						commit
						6d24baa182
					
				|  | @ -1,8 +1,8 @@ | |||
| ldap-account-manager (5.5.RC1-1) unstable; urgency=medium | ||||
| ldap-account-manager (5.5-1) unstable; urgency=medium | ||||
| 
 | ||||
|   * new upstream release | ||||
| 
 | ||||
|  -- Roland Gruber <post@rolandgruber.de>  Sat, 27 Aug 2016 14:23:35 +0200 | ||||
|  -- Roland Gruber <post@rolandgruber.de>  Sat, 10 Sep 2016 14:23:35 +0200 | ||||
| 
 | ||||
| ldap-account-manager (5.4-1) unstable; urgency=medium | ||||
| 
 | ||||
|  |  | |||
|  | @ -1,4 +1,4 @@ | |||
| September 2016 | ||||
| 10.09.2016 5.5 | ||||
|   - Windows: allow to show effective members of a group | ||||
|   - Lamdaemon: support SSH key authentication | ||||
|   - LAM Pro: | ||||
|  |  | |||
|  | @ -1 +1 @@ | |||
| 5.5.RC1 | ||||
| 5.5 | ||||
|  |  | |||
|  | @ -490,7 +490,8 @@ Have fun! | |||
|         session file.</para> | ||||
| 
 | ||||
|         <para>Please note that LAM does not ship with a selinux policy. Please | ||||
|         disable selinux or create your own policy.</para> | ||||
|         disable selinux or <link linkend="selinux">create your own | ||||
|         policy</link>.</para> | ||||
| 
 | ||||
|         <para>See <link linkend="a_schema">LDAP schema fles</link> for | ||||
|         information about used LDAP schema files.</para> | ||||
|  | @ -10444,6 +10445,82 @@ OK (10 msec)</programlisting> | |||
|       </section> | ||||
|     </section> | ||||
| 
 | ||||
|     <section id="selinux"> | ||||
|       <title>Selinux</title> | ||||
| 
 | ||||
|       <para>In case your server has selinux installed you might need to extend | ||||
|       the selinux ruleset. E.g. your webserver might not be allowed to write | ||||
|       in /var/lib.</para> | ||||
| 
 | ||||
|       <para><emphasis role="bold">Read selinux status</emphasis></para> | ||||
| 
 | ||||
|       <para>The following command will tell you if selinux is running in | ||||
|       Enforcing or Permissive mode.</para> | ||||
| 
 | ||||
|       <para>Enforcing: access that does not match rules is denied</para> | ||||
| 
 | ||||
|       <para>Permissive: access that does not match rules is granted but logged | ||||
|       to audit.log</para> | ||||
| 
 | ||||
|       <programlisting>getenforce</programlisting> | ||||
| 
 | ||||
|       <para><emphasis role="bold">Set selinux to Permissive | ||||
|       mode</emphasis></para> | ||||
| 
 | ||||
|       <para>This will just log any access violations. You will need this to | ||||
|       get a list of missing rights.</para> | ||||
| 
 | ||||
|       <programlisting>setenforce Permissive</programlisting> | ||||
| 
 | ||||
|       <para>Now do any actions inside LAM that you need for your daily work | ||||
|       (e.g. edit server profiles, manage LDAP entries, ...).</para> | ||||
| 
 | ||||
|       <para><emphasis role="bold">Extend selinux rules</emphasis></para> | ||||
| 
 | ||||
|       <para>Selinux now has logged any violations to audit.log. You can use | ||||
|       this now to extend your ruleset and enable enforcing later.</para> | ||||
| 
 | ||||
|       <para>The following example is for httpd. You can also adapt it to e.g. | ||||
|       nginx.</para> | ||||
| 
 | ||||
|       <programlisting># build additional selinux rules from audit.log | ||||
| grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te | ||||
| </programlisting> | ||||
| 
 | ||||
|       <para>The httpdlocal.te might look like this:</para> | ||||
| 
 | ||||
|       <programlisting>module httpdlocal 1.0; | ||||
| 
 | ||||
| require { | ||||
|         type httpd_t; | ||||
|         type var_lib_t; | ||||
|         class file { setattr write }; | ||||
| } | ||||
| 
 | ||||
| #============= httpd_t ============== | ||||
| 
 | ||||
| #!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t.  Change the label to httpd_var_lib_t. | ||||
| #!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf    | ||||
| #!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf | ||||
| allow httpd_t var_lib_t:file { setattr write }; | ||||
| </programlisting> | ||||
| 
 | ||||
|       <para>Now we can compile and install this rule:</para> | ||||
| 
 | ||||
|       <programlisting># build module | ||||
| checkmodule -M -m -o httpdlocal.mod httpdlocal.te | ||||
| # package module | ||||
| semodule_package -o httpdlocal.pp -m httpdlocal.mod | ||||
| # install module | ||||
| semodule -i httpdlocal.pp</programlisting> | ||||
| 
 | ||||
|       <para>Now you can switch back to Enforcing mode:</para> | ||||
| 
 | ||||
|       <programlisting>setenforce Enforcing</programlisting> | ||||
| 
 | ||||
|       <para>LAM should now work as expected with active selinux.</para> | ||||
|     </section> | ||||
| 
 | ||||
|     <section> | ||||
|       <title>Chrooted servers</title> | ||||
| 
 | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue