In case your server has selinux installed you might need to extend the selinux ruleset. E.g. your webserver might not be allowed to write in /var/lib.
Read selinux status
The following command will tell you if selinux is running in Enforcing or Permissive mode.
Enforcing: access that does not match rules is denied
Permissive: access that does not match rules is granted but logged to audit.log
getenforce
Set selinux to Permissive mode
This will just log any access violations. You will need this to get a list of missing rights.
setenforce Permissive
Now do any actions inside LAM that you need for your daily work (e.g. edit server profiles, manage LDAP entries, ...).
Extend selinux rules
Selinux now has logged any violations to audit.log. You can use this now to extend your ruleset and enable enforcing later.
The following example is for httpd. You can also adapt it to e.g. nginx.
# build additional selinux rules from audit.log grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te
The httpdlocal.te might look like this:
module httpdlocal 1.0; require { type httpd_t; type var_lib_t; class file { setattr write }; } #============= httpd_t ============== #!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t. #!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf #!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf allow httpd_t var_lib_t:file { setattr write };
Now we can compile and install this rule:
# build module checkmodule -M -m -o httpdlocal.mod httpdlocal.te # package module semodule_package -o httpdlocal.pp -m httpdlocal.mod # install module semodule -i httpdlocal.pp
Now you can switch back to Enforcing mode:
setenforce Enforcing
LAM should now work as expected with active selinux.