1.10. Managing SELinux with the Directory Server
1.10.1. SELinux Definitions for the Directory Server
dirsrv_tdomain. Ports used by the Directory Server instances are contained within the
Table 1.4. Summary of Directory Server SELinux Policies
|File Path||Security Context||Description|
| ||dirsrv_config_t||Configuration files for the different instances.|
| ||dirsrv_exec_t||The main server executable.|
| ||initrc_exec_t||The server start, restart, and stop scripts.|
|lib_t||The server and plug-in libraries.|
| ||dirsrv_share_t||The property files and templates for new instances.|
| ||dirsrv_var_lib_t||The default directories for database files, LDIF files, and backup files.|
| ||dirsrv_var_lock_t||Lock files.|
| ||dirsrv_var_log_t||The server instance log files.|
| ||dirsrv_var_run_t||The instance PID files and the SNMP statistics file.|
|Port 389 and 636 and any regular LDAP port configured for a Directory Server instance||ldap_port_t||The ports used by the Directory Server instances, including the default LDAP and LDAPS ports and whatever the configured LDAP port[a] for the Directory Server is|
register-ds-admin.plare run). Each time a new instance is configured, the policies are updated with the appropriate information. These policies are automatically removed when the server instance is uninstalled.
1.10.2. SELinux Definitions for the SNMP Agent
ldap-agent. The process does not listen over any ports (the third-party SNMP master agent does), but the process does need to access some system files, such as PID and log files. The security context definitions for these files and process are listed in Table 1.5, “Summary of Directory Server SELinux Policies”. All of these files are also covered by the Directory Server file contexts listed in Table 1.4, “Summary of Directory Server SELinux Policies”.
Table 1.5. Summary of Directory Server SELinux Policies
|File Path||Security Context||Description|
|/usr/sbin/ldap-agent-bin||dirsrv_snmp_exec_t||The SNMP subagent daemon.|
|/var/run/ldap-agent.pid||dirsrv_snmp_var_run_t||The SNMP subagent PID file.|
|/var/log/dirsrv/ldap-agent.log||dirsrv_snmp_var_log_t||The SNMP subagent log file.|
1.10.3. Viewing and Editing SELinux Policies for the Directory Server
- Open themenu.
- Open themenu, and select the item.
NoteYou can launch the GUI from the command line using
- Open, add, or edit any file or port label or policy for Directory Server , as necessary.
- After making any changes to the SELinux policies, run
restoreconto load the changes to the labels or policies.
# restorecon -r -v [-f filename | directoryName]For example, if new policies were created for a custom LDIF directory:
# restorecon -r -v /myNewLdifDir
1.10.4. Starting the Directory Server Confined by SELinux
ns-slapdprocess transitions to the
dirsrv_tdomain when starting and stopping. All three of these scripts are in the
servicecommands used by Directory Server. A single instance can be specified using the instance name or the script can be run with no arguments and apply to all instances, as in Section 1.3, “Starting and Stopping Servers”. For example:
servicecommand to run the
ldap-agentprocess confined by SELinux policies. See Section 16.3.2, “Starting the Subagent” for more information.
service dirsrv-snmp start
1.10.5. Managing SELinux Labels for Files Used by the Directory Server
cn=config, such as
nsslapd-ldapifilepath. As long as these directory locations are left with their default settings, the confined
ns-slapdprocess can access them just fine. However, if these file locations are moved, then the SELinux labels must be updated for the new locations so that the Directory Server process is allowed to access them.
- LDIF files for import and export. If the import or export LDIF files are created in the default LDIF directory,
/var/lib/dirsrv/slapd-instance_name/ldif, then the files will automatically be covered by the security context. If these are in a non-standard location, then the file labels must be changed for the Directory Server to access them.These SELinux labels apply only to the LDIF files used for import/export operations. These contexts do not cover import or export operations, which are database operations and outside the purview of SELinux.
ImportantIf you copy a file into the LDIF directory, then the command automatically relabels the copied files and everything is fine. If, however, a file is moved into the LDIF directory (
mv), then it retains its original SELinux labels and will not be recognized by the
- Custom plug-ins. The SELinux file restrictions assume that any plug-in files used by the server are located in the default plug-in directory, /usr/lib/dirsrv/plugins on Red Hat Enterprise Linux 6 (64-bit). Any
.sofiles for custom plug-ins must be in that directory for the server to load and use them.If the plug-in files must be stored in a non-default location for some reason, then add appropriate SELinux rules to allow the server to access the files. This is in Section 1.10.3, “Viewing and Editing SELinux Policies for the Directory Server” or using
- SASL/GSS-API keytabs. The Directory Server must be able to access the host keytab and
krb5.confconfiguration file for GSS-API authentication in SASL. (The host keytab is set in the
KRB5_KTNAMEdirective in the
/etc/sysconfig/dirsrvfile.) For these files to be properly labeled in SELinux in the
dirsrv_config_tcontext, they must be in the
/etc/dirsrv/directory.Only the host keytab and
krb5.conffile must be in
/etc. The user key tabs can still be in any directory.
semanagescript. For details, see the semanage(8) man page.
1.10.6. Labeling SSL/TLS Ports
-toption to identify the security context, and the
-poption to identify the port. The
-aoption adds the port label. For example:
/usr/sbin/semanage port -a -t ldap_port_t -p tcp 1636
-doption. For example:
/usr/sbin/semanage port -d -t ldap_port_t -p tcp 1636