[DSE-User] SELinux on Wheezy: ldap
Arno Schuring
aelschuring at hotmail.com
Thu Feb 9 22:59:49 UTC 2012
Apart from the usual filecontexts, openldap needs access to random()
for ssl/tls communication.
There is a problem in the current package though: /usr/sbin/slapd is
hardlinked to a number of other slap* binaries, of which only slapd is
supposed to be labeled slapd_exec_t. My current workaround is to
manually break the hardlink by copying the binary over itself. Maybe
because of this workaround, slapd requires execmod on its own binary.
The former is #634081, the execmod issue is not reported because I
don't know if I caused that myself.
Regards,
Arno
-8<--
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index c62f23e..8777578 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -1,6 +1,7 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
@@ -15,3 +16,4 @@ ifdef(`distro_debian',`
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/run/slapd/.* gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 64fd1ff..36e0159 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.10.0)
+policy_module(ldap, 1.10.5)
########################################
#
@@ -37,6 +37,11 @@ files_pid_file(slapd_var_run_t)
#
# Local policy
#
+allow slapd_t slapd_exec_t:file execmod;
+
+dev_read_rand(slapd_t)
+dev_read_urand(slapd_t)
+kernel_read_crypto_sysctls(slapd_t)
# should not need kill
# cjp: why net_raw?
More information about the Selinux-user
mailing list