5.5

lam-packaging/debian/changelog

@@ -1,8 +1,8 @@
-ldap-account-manager (5.5.RC1-1) unstable; urgency=medium
+ldap-account-manager (5.5-1) unstable; urgency=medium
 
   * new upstream release
 
- -- Roland Gruber <post@rolandgruber.de>  Sat, 27 Aug 2016 14:23:35 +0200
+ -- Roland Gruber <post@rolandgruber.de>  Sat, 10 Sep 2016 14:23:35 +0200
 
 ldap-account-manager (5.4-1) unstable; urgency=medium
 

lam/HISTORY

@@ -1,4 +1,4 @@
-September 2016
+10.09.2016 5.5
   - Windows: allow to show effective members of a group
   - Lamdaemon: support SSH key authentication
   - LAM Pro:

lam/VERSION

@@ -1 +1 @@
-5.5.RC1
+5.5

lam/docs/manual-sources/howto.xml

@@ -490,7 +490,8 @@ Have fun!
         session file.</para>
 
         <para>Please note that LAM does not ship with a selinux policy. Please
-        disable selinux or create your own policy.</para>
+        disable selinux or <link linkend="selinux">create your own
+        policy</link>.</para>
 
         <para>See <link linkend="a_schema">LDAP schema fles</link> for
         information about used LDAP schema files.</para>
@@ -10444,6 +10445,82 @@ OK (10 msec)</programlisting>
       </section>
     </section>
 
+    <section id="selinux">
+      <title>Selinux</title>
+
+      <para>In case your server has selinux installed you might need to extend
+      the selinux ruleset. E.g. your webserver might not be allowed to write
+      in /var/lib.</para>
+
+      <para><emphasis role="bold">Read selinux status</emphasis></para>
+
+      <para>The following command will tell you if selinux is running in
+      Enforcing or Permissive mode.</para>
+
+      <para>Enforcing: access that does not match rules is denied</para>
+
+      <para>Permissive: access that does not match rules is granted but logged
+      to audit.log</para>
+
+      <programlisting>getenforce</programlisting>
+
+      <para><emphasis role="bold">Set selinux to Permissive
+      mode</emphasis></para>
+
+      <para>This will just log any access violations. You will need this to
+      get a list of missing rights.</para>
+
+      <programlisting>setenforce Permissive</programlisting>
+
+      <para>Now do any actions inside LAM that you need for your daily work
+      (e.g. edit server profiles, manage LDAP entries, ...).</para>
+
+      <para><emphasis role="bold">Extend selinux rules</emphasis></para>
+
+      <para>Selinux now has logged any violations to audit.log. You can use
+      this now to extend your ruleset and enable enforcing later.</para>
+
+      <para>The following example is for httpd. You can also adapt it to e.g.
+      nginx.</para>
+
+      <programlisting># build additional selinux rules from audit.log
+grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te
+</programlisting>
+
+      <para>The httpdlocal.te might look like this:</para>
+
+      <programlisting>module httpdlocal 1.0;
+
+require {
+        type httpd_t;
+        type var_lib_t;
+        class file { setattr write };
+}
+
+#============= httpd_t ==============
+
+#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t.  Change the label to httpd_var_lib_t.
+#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf   
+#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
+allow httpd_t var_lib_t:file { setattr write };
+</programlisting>
+
+      <para>Now we can compile and install this rule:</para>
+
+      <programlisting># build module
+checkmodule -M -m -o httpdlocal.mod httpdlocal.te
+# package module
+semodule_package -o httpdlocal.pp -m httpdlocal.mod
+# install module
+semodule -i httpdlocal.pp</programlisting>
+
+      <para>Now you can switch back to Enforcing mode:</para>
+
+      <programlisting>setenforce Enforcing</programlisting>
+
+      <para>LAM should now work as expected with active selinux.</para>
+    </section>
+
     <section>
       <title>Chrooted servers</title>