Selinux

In case your server has selinux installed you might need to extend the selinux ruleset. E.g. your webserver might not be allowed to write in /var/lib.

Read selinux status

The following command will tell you if selinux is running in Enforcing or Permissive mode.

Enforcing: access that does not match rules is denied

Permissive: access that does not match rules is granted but logged to audit.log

getenforce

Set selinux to Permissive mode

This will just log any access violations. You will need this to get a list of missing rights.

setenforce Permissive

Now do any actions inside LAM that you need for your daily work (e.g. edit server profiles, manage LDAP entries, ...).

Extend selinux rules

Selinux now has logged any violations to audit.log. You can use this now to extend your ruleset and enable enforcing later.

The following example is for httpd. You can also adapt it to e.g. nginx.

# build additional selinux rules from audit.log
grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te

The httpdlocal.te might look like this:

module httpdlocal 1.0;

require {
        type httpd_t;
        type var_lib_t;
        class file { setattr write };
}

#============= httpd_t ==============

#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t.  Change the label to httpd_var_lib_t.
#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
allow httpd_t var_lib_t:file { setattr write };

Now we can compile and install this rule:

# build module
checkmodule -M -m -o httpdlocal.mod httpdlocal.te
# package module
semodule_package -o httpdlocal.pp -m httpdlocal.mod
# install module
semodule -i httpdlocal.pp

Now you can switch back to Enforcing mode:

setenforce Enforcing

LAM should now work as expected with active selinux.