Show Table of Contents
1.10. Managing SELinux with the Directory Server
SELinux is a security function in Linux that categorizes files, directories, ports, processes, users, and other objects on the server. Each object is placed in an appropriate security context to define how the object is allowed to behave on the server through its role, user, and security level. These roles for objects are grouped in domains, and SELinux rules define how the objects in one domain are allowed to interact with objects in another domain.
SELinux itself is much more complex to manage and implement than what is described here. This section is concerned only with giving the SELinux details for the Directory Server. Both the Fedora project and the National Security Agency have excellent resources for learning about SELinux.
Note
SELinux is a feature of Red Hat Enterprise Linux and, as such, is covered in the Red Hat Enterprise Linux SELinux Guide at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html.
1.10.1. SELinux Definitions for the Directory Server
SELinux has three different levels of enforcement: disabled (no SELinux), permissive (where the rules are lax), and enforcing (where all rules are strictly enforced). Red Hat Directory Server has defined SELinux policies that allow it to run as normal under strict SELinux enforcing mode, with a caveat. The Directory Server can run in different modes, one for normal operations and one for database operations like importing (ldif2db mode). The SELinux policies for the Directory Server only apply to normal mode.
By default, the Directory Server runs confined by SELinux policies.
The Directory Server processes are contained within the
dirsrv_t domain. Ports used by the Directory Server instances are contained within the ldap_port_tdomain.
Table 1.4, “Summary of Directory Server SELinux Policies” lists the security contexts and domains for the major components of the Directory Server.
Table 1.4. Summary of Directory Server SELinux Policies
| File Path | Security Context | Description | ||
|---|---|---|---|---|
| dirsrv_t Domain | ||||
/etc/dirsrv/* | dirsrv_config_t | Configuration files for the different instances. | ||
/usr/sbin/ns-slapd | dirsrv_exec_t | The main server executable. | ||
/usr/sbin/{start|restart|stop}-dirsrv | initrc_exec_t | The server start, restart, and stop scripts. | ||
| lib_t | The server and plug-in libraries. | ||
/usr/share/dirsrv/* | dirsrv_share_t | The property files and templates for new instances. | ||
/var/lib/dirsrv/* | dirsrv_var_lib_t | The default directories for database files, LDIF files, and backup files. | ||
/var/lock/dirsrv/* | dirsrv_var_lock_t | Lock files. | ||
/var/log/dirsrv/* | dirsrv_var_log_t | The server instance log files. | ||
/var/run/dirsrv/* | dirsrv_var_run_t | The instance PID files and the SNMP statistics file. | ||
| ldap_t Domain | ||||
| Port 389 and 636 and any regular LDAP port configured for a Directory Server instance | ldap_port_t | The ports used by the Directory Server instances, including the default LDAP and LDAPS ports and whatever the configured LDAP port[a] for the Directory Server is | ||
[a]
Only the LDAP port is configured for the Directory Server when it is set up, so only this port is added to the SELinux configuration automatically. The LDAPS port must be added manually, as described in Section 1.10.6, “Labeling SSL/TLS Ports”.
| ||||
The Directory Server SELinux policies are configured when the server instance is set up (when
setup-ds-admin.pl or register-ds-admin.pl are run). Each time a new instance is configured, the policies are updated with the appropriate information. These policies are automatically removed when the server instance is uninstalled.
1.10.2. SELinux Definitions for the SNMP Agent
The Directory Server runs an SNMP agent which can be used to configure traps and send alerts to an SNMP master agent, as described in Chapter 16, Monitoring Directory Server Using SNMP. The SNMP sub-agent is contained within a separate domain,
dirsrv_snmp_t.
The SNMP subagent runs as a process,
ldap-agent. The process does not listen over any ports (the third-party SNMP master agent does), but the process does need to access some system files, such as PID and log files. The security context definitions for these files and process are listed in Table 1.5, “Summary of Directory Server SELinux Policies”. All of these files are also covered by the Directory Server file contexts listed in Table 1.4, “Summary of Directory Server SELinux Policies”.
Table 1.5. Summary of Directory Server SELinux Policies
| File Path | Security Context | Description |
|---|---|---|
| dirsrv_snmp_t Domain | ||
| /usr/sbin/ldap-agent-bin | dirsrv_snmp_exec_t | The SNMP subagent daemon. |
| /var/run/ldap-agent.pid | dirsrv_snmp_var_run_t | The SNMP subagent PID file. |
| /var/log/dirsrv/ldap-agent.log | dirsrv_snmp_var_log_t | The SNMP subagent log file. |
1.10.3. Viewing and Editing SELinux Policies for the Directory Server
The configured Directory Server and Admin Server policies can be viewed and edited using the SELinux Administration GUI. Much more information about editing SELinux policies and labels is in the Red Hat Enterprise Linux Security-Enhanced Linux Guide.
- Open the menu.
- Open the menu, and select the item.
Note
You can launch the GUI from the command line usingsystem-config-selinux. - Open, add, or edit any file or port label or policy for Directory Server , as necessary.
- After making any changes to the SELinux policies, run
restoreconto load the changes to the labels or policies.# restorecon -r -v [-f filename | directoryName]
For example, if new policies were created for a custom LDIF directory:# restorecon -r -v /myNewLdifDir
To check the version of the Directory Server SELinux policy installed, click the Policy Module link.
To view the policies set on the individual files and processes, click the File Labeling link. To view the policies for the port assignments for the server, click the Network Port link.
1.10.4. Starting the Directory Server Confined by SELinux
Three scripts control how the
ns-slapd process transitions to the dirsrv_t domain when starting and stopping. All three of these scripts are in the /usr/sbin/ directory:
- start-dirsrv
- stop-dirsrv
- restart-dirsrv
These scripts are run similar to the
service commands used by Directory Server. A single instance can be specified using the instance name or the script can be run with no arguments and apply to all instances, as in Section 1.3, “Starting and Stopping Servers”. For example:
/usr/sbin/start-dirsrv instance_name
Likewise, the SNMP subagent is started or stopped using the
service command to run the ldap-agent process confined by SELinux policies. See Section 16.3.2, “Starting the Subagent” for more information.
service dirsrv-snmp start
1.10.5. Managing SELinux Labels for Files Used by the Directory Server
There are a number of different files that the Directory Server has to access in normal operations, such as database, log, and index files. Many of these are configured in settings in
cn=config, such as nsslapd-dbdir, nsslapd-rundir, and nsslapd-ldapifilepath. As long as these directory locations are left with their default settings, the confined ns-slapd process can access them just fine. However, if these file locations are moved, then the SELinux labels must be updated for the new locations so that the Directory Server process is allowed to access them.
Note
Do not change the default locations for Directory Server files and directories — such as the databases, run file, or LDAPI configuration file — so that the SELinux policies do not have to be updated.
Most common files used by the Directory Server are covered by the SELinux policies by default. However, for some operations, the Directory Server must access external files, meaning files not directly created from Directory Server templates and maintained by the server. For example:
- LDIF files for import and export. If the import or export LDIF files are created in the default LDIF directory,
/var/lib/dirsrv/slapd-instance_name/ldif, then the files will automatically be covered by the security context. If these are in a non-standard location, then the file labels must be changed for the Directory Server to access them.These SELinux labels apply only to the LDIF files used for import/export operations. These contexts do not cover import or export operations, which are database operations and outside the purview of SELinux.Important
If you copy a file into the LDIF directory, then the command automatically relabels the copied files and everything is fine. If, however, a file is moved into the LDIF directory (mv), then it retains its original SELinux labels and will not be recognized by thens-slapdprocess. - Custom plug-ins. The SELinux file restrictions assume that any plug-in files used by the server are located in the default plug-in directory, /usr/lib[64]/dirsrv/plugins on Red Hat Enterprise Linux 6 (64-bit). Any
.sofiles for custom plug-ins must be in that directory for the server to load and use them.If the plug-in files must be stored in a non-default location for some reason, then add appropriate SELinux rules to allow the server to access the files. This is in Section 1.10.3, “Viewing and Editing SELinux Policies for the Directory Server” or usingsemanage. - SASL/GSS-API keytabs. The Directory Server must be able to access the host keytab and
krb5.confconfiguration file for GSS-API authentication in SASL. (The host keytab is set in theKRB5_KTNAMEdirective in the/etc/sysconfig/dirsrvfile.) For these files to be properly labeled in SELinux in thedirsrv_config_tcontext, they must be in the/etc/dirsrv/directory.Only the host keytab andkrb5.conffile must be in/etc. The user key tabs can still be in any directory.
Although import/export operations and SASL configurations are the most common situations when the Directory Server will access an external file, be sure to consider file labeling any time the Directory Server needs to access a file.
File labels can be added using the SELinux administrative interface (Section 1.10.3, “Viewing and Editing SELinux Policies for the Directory Server”) or using the
semanage script. For details, see the semanage(8) man page.
1.10.6. Labeling SSL/TLS Ports
When the Directory Server is first set up, the given LDAP port is labeled for SELinux (the default is port 389). However, SSL/TLS is set up separately, after the Directory Server is already configured, so the LDAPS port for the Directory Server is not automatically labeled.
The default LDAP and LDAPS ports, 389 and 636, respectively, are already labeled as part of the policies in Red Hat Enterprise Linux. Any other LDAP port is added to those policies when the server is set up. If the Directory Server uses a secure port other than the defaults for its SSL/TLS connections, however, then an administrator must label the port manually. This can be done in the SELinux administrative interface shown in Section 1.10.3, “Viewing and Editing SELinux Policies for the Directory Server”. It can also be done easily using the
semanage script.
Use the
port subcommand, the -t option to identify the security context, and the -p option to identify the port. The -a option adds the port label. For example:
/usr/sbin/semanage port -a -t ldap_port_t -p tcp 1636
To delete a port label, use the
-d option. For example:
/usr/sbin/semanage port -d -t ldap_port_t -p tcp 1636
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.