[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP and SELINUX

To: Jens Vagelpohl <jens@dataflake.org>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: LDAP and SELINUX
From: "Borresen, John - 0444 - MITLL" <John.Borresen@ll.mit.edu>
Date: Wed, 3 Feb 2016 18:04:15 +0000
Accept-language: en-US
Content-language: en-US
In-reply-to: <EC648925-3E65-4F3D-8173-F350006729FD@dataflake.org>
References: <D1ABA0029F01AE4EA344F208D704EA5327C0CF8A@LLE2K10-MBX01.mitll.ad.local> <EC648925-3E65-4F3D-8173-F350006729FD@dataflake.org>
Thread-index: AdFeocJDnZL8umjvQ8CaWf+yMQZhWgAMgx6AAAmkTKA=
Thread-topic: LDAP and SELINUX

Thank Jens!

I will try this out.

John D. Borresen (Dave)
Email: john.borresen@ll.mit.edu

-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Jens Vagelpohl
Sent: Wednesday, February 03, 2016 12:40 PM
To: openldap-technical@openldap.org
Subject: Re: LDAP and SELINUX

> On 03 Feb 2016, at 17:48 , Borresen, John - 0444 - MITLL <John.Borresen@ll.mit.edu> wrote:
> 
> Does anyone out there in OpenLDAP land have experience with working with OpenLDAP and SELINUX?

The standard procedure I use to debug SELinux issues and then create SELinux rule files to allow previosuly forbidden interactions is the following (all steps as root). Don’t trust anyone or any advice from random websites that tell you to just switch off SELinux to make things work, those people obviously don’t know anything about the topic at all.

1) Switch from Enforcing to Permissive mode so everything is allowed but still fully logged:
# setenforce permissive

2) Run through your test scenarios, like starting and stopping all the involved system services and logging in/using your applications

3) Get a report using audit2allow:
# audit2allow -al

Now you have a report showing you what’s disallowed and what processes are involved.

4) To create a policy file that can be loaded into the SELinux rule set in order to prevent the denials you create a type enforcement rule file (you can choose any name for it that does not collide with built-in policies):
# audit2allow -alm my_custom_policy_name >my_custom_policy_name.te

5) Now you compile it into a format the kernel understands:
# checkmodule -M -m -o my_custom_policy_name.mod my_custom_policy_name.te # semodule_package -o my_custom_policy_name.pp -m my_custom_policy_name.mod

6) Insert the compiled module (the .pp file) into the SELinux rule set:
# semodule -u my_custom_policy_name.pp

7) Now test again (return to step 2) and if there are any remaining issues follow steps 3-7. IMPORTANT: If you create a new policy file in step 4, make sure to INCREMENT the version number that’s shown at the top of the file. If your new policy retains the old policy version number it will not load.

8) Once you’re happy do not forget to return to enforcing mode:
# setenforce enforcing

Hope that helps,

jens

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- LDAP and SELINUX
  - From: "Borresen, John - 0444 - MITLL" <John.Borresen@ll.mit.edu>
- Re: LDAP and SELINUX
  - From: Jens Vagelpohl <jens@dataflake.org>

Prev by Date: Re: LDAP and SELINUX
Next by Date: slapo-auditlog parsing tools?
Index(es):
- Chronological
- Thread