9.10. Using SELinux Policies

Although Security-Enhanced Linux is a security feature on a Red Hat Enterprise Linux machine, the Directory Server and its Admin Server and SNMP components have special SELinux policies in place to make the server run effectively in a secure system environment.
SELinux is a collection of mandatory access control rules which are enforced across a system to restrict unauthorized access and tampering. SELinux categorizes files, directories, ports, processes, users, and other objects on the server. Each object is placed in an appropriate security context to define how the object is allowed to behave on the server through its role, user, and security level. These roles for objects are grouped in domains, and SELinux rules define how the objects in one domain are allowed to interact with objects in another domain.
Directory Server has three domains:
  • dirsrv_t for the Directory Server
  • dirsrvadmin_t for the Admin Server
  • dirsrv_snmp_t for the SNMP
Directory Server also uses two additional, default domains for LDAP ports (ldap_port_t) and web services (httpd_t).
Editing Directory Server File Labeling

Figure 9.5. Editing Directory Server File Labeling

These domains provide security contexts for all of the processes, files, directories, ports, sockets, and users for the Directory Server.
  • Files and directories for each instance are labeled with a specific SELinux context. (Most of the main directories used by Directory Server have subdirectories for all local instances, no matter how many, so a single policy is easily applied to new instances.)
  • The ports for each instance are labeled with a specific SELinux context.
  • All Directory Server processes are constrained within the appropriate domain.
  • Each domain has specific rules that define what actions that are authorized for the domain.
  • Any access not specified in the SELinux policy is denied to the instance.
SELinux has three different levels of enforcement: disabled (no SELinux), permissive (where the rules are processed but not enforced), and enforcing (where all rules are strictly enforced). Red Hat Directory Server has defined SELinux policies that allow it to run as normal under strict SELinux enforcing mode, with a caveat. The Directory Server can run in different modes, one for normal operations and one for database operations like importing (ldif2db mode). The SELinux policies for the Directory Server only apply to normal mode.
By default, the Directory Server runs confined by SELinux policies.
SELinux itself is much more complex to manage and implement than what is described here. This section is concerned only with giving the SELinux details for the Directory Server. Both the Fedora project and the National Security Agency have excellent resources for learning about SELinux. SELinux is a feature of Red Hat Enterprise Linux and, as such, is covered in the Red Hat Enterprise Linux SELinux Guide at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html.
Both the Directory Server and the Admin Server have their own defined SELinux policies. The SELinux policies for the Directory Server and SNMP services are installed in the 389-ds-selinux RPM package, and the policies for the Admin Server are in the 389-ds-admin-selinux RPM package.
The policies for each Directory Server instance are updated, if necessary, each time the instance is configured with the setup scripts. The same is true for the Admin Server policies.