1.10. Managing SELinux with the Directory Server

SELinux is a security function in Linux that categorizes files, directories, ports, processes, users, and other objects on the server. Each object is placed in an appropriate security context to define how the object is allowed to behave on the server through its role, user, and security level. These roles for objects are grouped in domains, and SELinux rules define how the objects in one domain are allowed to interact with objects in another domain.
SELinux itself is much more complex to manage and implement than what is described here. This section is concerned only with giving the SELinux details for the Directory Server. Both the Fedora project and the National Security Agency have excellent resources for learning about SELinux.

Note

SELinux is a feature of Red Hat Enterprise Linux and, as such, is covered in the Red Hat Enterprise Linux SELinux Guide at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html.

1.10.1. SELinux Definitions for the Directory Server

SELinux has three different levels of enforcement: disabled (no SELinux), permissive (where the rules are lax), and enforcing (where all rules are strictly enforced). Red Hat Directory Server has defined SELinux policies that allow it to run as normal under strict SELinux enforcing mode, with a caveat. The Directory Server can run in different modes, one for normal operations and one for database operations like importing (ldif2db mode). The SELinux policies for the Directory Server only apply to normal mode.
By default, the Directory Server runs confined by SELinux policies.
The Directory Server processes are contained within the dirsrv_t domain. Ports used by the Directory Server instances are contained within the ldap_port_tdomain.
Table 1.4, “Summary of Directory Server SELinux Policies” lists the security contexts and domains for the major components of the Directory Server.

Table 1.4. Summary of Directory Server SELinux Policies

File Path Security Context Description
dirsrv_t Domain   
/etc/dirsrv/* dirsrv_config_t Configuration files for the different instances.
/usr/sbin/ns-slapd dirsrv_exec_t The main server executable.
/usr/sbin/{start|restart|stop}-dirsrv initrc_exec_t The server start, restart, and stop scripts.
/usr/lib/dirsrv/*
/usr/lib64/dirsrv/*
lib_t The server and plug-in libraries.
/usr/share/dirsrv/* dirsrv_share_t The property files and templates for new instances.
/var/lib/dirsrv/* dirsrv_var_lib_t The default directories for database files, LDIF files, and backup files.
/var/lock/dirsrv/* dirsrv_var_lock_t Lock files.
/var/log/dirsrv/* dirsrv_var_log_t The server instance log files.
/var/run/dirsrv/* dirsrv_var_run_t The instance PID files and the SNMP statistics file.
ldap_t Domain   
Port 389 and 636 and any regular LDAP port configured for a Directory Server instance ldap_port_t The ports used by the Directory Server instances, including the default LDAP and LDAPS ports and whatever the configured LDAP port[a] for the Directory Server is
[a] Only the LDAP port is configured for the Directory Server when it is set up, so only this port is added to the SELinux configuration automatically. The LDAPS port must be added manually, as described in Section 1.10.6, “Labeling SSL/TLS Ports”.
The Directory Server SELinux policies are configured when the server instance is set up (when setup-ds-admin.pl or register-ds-admin.pl are run). Each time a new instance is configured, the policies are updated with the appropriate information. These policies are automatically removed when the server instance is uninstalled.

1.10.2. SELinux Definitions for the SNMP Agent

The Directory Server runs an SNMP agent which can be used to configure traps and send alerts to an SNMP master agent, as described in Chapter 16, Monitoring Directory Server Using SNMP. The SNMP sub-agent is contained within a separate domain, dirsrv_snmp_t.
The SNMP subagent runs as a process, ldap-agent. The process does not listen over any ports (the third-party SNMP master agent does), but the process does need to access some system files, such as PID and log files. The security context definitions for these files and process are listed in Table 1.5, “Summary of Directory Server SELinux Policies”. All of these files are also covered by the Directory Server file contexts listed in Table 1.4, “Summary of Directory Server SELinux Policies”.

Table 1.5. Summary of Directory Server SELinux Policies

File Path Security Context Description
dirsrv_snmp_t Domain   
/usr/sbin/ldap-agent-bin dirsrv_snmp_exec_t The SNMP subagent daemon.
/var/run/ldap-agent.pid dirsrv_snmp_var_run_t The SNMP subagent PID file.
/var/log/dirsrv/ldap-agent.log dirsrv_snmp_var_log_t The SNMP subagent log file.

1.10.3. Viewing and Editing SELinux Policies for the Directory Server

The configured Directory Server and Admin Server policies can be viewed and edited using the SELinux Administration GUI. Much more information about editing SELinux policies and labels is in the Red Hat Enterprise Linux Security-Enhanced Linux Guide.
  1. Open the Systems menu.
  2. Open the Administration menu, and select the SELinux Management item.

    Note

    You can launch the GUI from the command line using system-config-selinux.
  3. Open, add, or edit any file or port label or policy for Directory Server , as necessary.
  4. After making any changes to the SELinux policies, run restorecon to load the changes to the labels or policies.
    # restorecon -r -v [-f filename | directoryName]
    For example, if new policies were created for a custom LDIF directory:
    # restorecon -r -v /myNewLdifDir
To check the version of the Directory Server SELinux policy installed, click the Policy Module link.
To view the policies set on the individual files and processes, click the File Labeling link. To view the policies for the port assignments for the server, click the Network Port link.

1.10.4. Starting the Directory Server Confined by SELinux

Three scripts control how the ns-slapd process transitions to the dirsrv_t domain when starting and stopping. All three of these scripts are in the /usr/sbin/ directory:
  • start-dirsrv
  • stop-dirsrv
  • restart-dirsrv
These scripts are run similar to the service commands used by Directory Server. A single instance can be specified using the instance name or the script can be run with no arguments and apply to all instances, as in Section 1.3, “Starting and Stopping Servers”. For example:
/usr/sbin/start-dirsrv instance_name
Likewise, the SNMP subagent is started or stopped using the service command to run the ldap-agent process confined by SELinux policies. See Section 16.3.2, “Starting the Subagent” for more information.
service dirsrv-snmp start

1.10.5. Managing SELinux Labels for Files Used by the Directory Server

There are a number of different files that the Directory Server has to access in normal operations, such as database, log, and index files. Many of these are configured in settings in cn=config, such as nsslapd-dbdir, nsslapd-rundir, and nsslapd-ldapifilepath. As long as these directory locations are left with their default settings, the confined ns-slapd process can access them just fine. However, if these file locations are moved, then the SELinux labels must be updated for the new locations so that the Directory Server process is allowed to access them.

Note

Do not change the default locations for Directory Server files and directories — such as the databases, run file, or LDAPI configuration file — so that the SELinux policies do not have to be updated.
Most common files used by the Directory Server are covered by the SELinux policies by default. However, for some operations, the Directory Server must access external files, meaning files not directly created from Directory Server templates and maintained by the server. For example:
  • LDIF files for import and export. If the import or export LDIF files are created in the default LDIF directory, /var/lib/dirsrv/slapd-instance_name/ldif, then the files will automatically be covered by the security context. If these are in a non-standard location, then the file labels must be changed for the Directory Server to access them.
    These SELinux labels apply only to the LDIF files used for import/export operations. These contexts do not cover import or export operations, which are database operations and outside the purview of SELinux.

    Important

    If you copy a file into the LDIF directory, then the command automatically relabels the copied files and everything is fine. If, however, a file is moved into the LDIF directory (mv), then it retains its original SELinux labels and will not be recognized by the ns-slapd process.
  • Custom plug-ins. The SELinux file restrictions assume that any plug-in files used by the server are located in the default plug-in directory, /usr/lib[64]/dirsrv/plugins on Red Hat Enterprise Linux 6 (64-bit). Any .so files for custom plug-ins must be in that directory for the server to load and use them.
    If the plug-in files must be stored in a non-default location for some reason, then add appropriate SELinux rules to allow the server to access the files. This is in Section 1.10.3, “Viewing and Editing SELinux Policies for the Directory Server” or using semanage.
  • SASL/GSS-API keytabs. The Directory Server must be able to access the host keytab and krb5.conf configuration file for GSS-API authentication in SASL. (The host keytab is set in the KRB5_KTNAME directive in the /etc/sysconfig/dirsrv file.) For these files to be properly labeled in SELinux in the dirsrv_config_t context, they must be in the /etc/dirsrv/ directory.
    Only the host keytab and krb5.conf file must be in /etc. The user key tabs can still be in any directory.
Although import/export operations and SASL configurations are the most common situations when the Directory Server will access an external file, be sure to consider file labeling any time the Directory Server needs to access a file.
File labels can be added using the SELinux administrative interface (Section 1.10.3, “Viewing and Editing SELinux Policies for the Directory Server”) or using the semanage script. For details, see the semanage(8) man page.

1.10.6. Labeling SSL/TLS Ports

When the Directory Server is first set up, the given LDAP port is labeled for SELinux (the default is port 389). However, SSL/TLS is set up separately, after the Directory Server is already configured, so the LDAPS port for the Directory Server is not automatically labeled.
The default LDAP and LDAPS ports, 389 and 636, respectively, are already labeled as part of the policies in Red Hat Enterprise Linux. Any other LDAP port is added to those policies when the server is set up. If the Directory Server uses a secure port other than the defaults for its SSL/TLS connections, however, then an administrator must label the port manually. This can be done in the SELinux administrative interface shown in Section 1.10.3, “Viewing and Editing SELinux Policies for the Directory Server”. It can also be done easily using the semanage script.
Use the port subcommand, the -t option to identify the security context, and the -p option to identify the port. The -a option adds the port label. For example:
/usr/sbin/semanage port -a -t ldap_port_t -p tcp 1636
To delete a port label, use the -d option. For example:
/usr/sbin/semanage port -d -t ldap_port_t -p tcp 1636