Product SiteDocumentation Site

15.2. Configuring SELinux Users in FreeIPA

SELinux user maps, as the name implies, creates an association between an SELinux user and an FreeIPA user. Before that association can be established, the FreeIPA server has to be aware of what SELinux users are configured on the systems it manages.
The available SELinux users are part of the FreeIPA server configuration. This is a list, in order from most to least confined, of the SELinux users. The SELinux user entry itself has this format:
SELinux_username:MLS[:MCS]
The individual user entries are separated with a dollar sign ($).
Since there is no requirement on user entries to have an SELinux map, many entries may be unmapped. The FreeIPA server configuration can also set a default SELinux user (which is part of the larger SELinux map list) to use for otherwise unmapped FreeIPA user entries.

15.2.1. In the Web UI

  1. In the top menu, click the IPA Server main tab and the Configuration subtab.
  2. Scroll to the bottom of the list of server configuration areas, to SELINUX OPTIONS.
  3. Set the SELinux user configuration.
    There are two areas that can be edited: the prioritized list of SELinux users and the default SELinux user to use for unmapped FreeIPA users.
    The SELinux user map order gives the list of SELinux users, defined on the local Linux system , which are available for configuring mapping rules. This is a prioritized list, from most to least confined. Each SELinux user has the format SELinux_user:MLS.
    The Default SELinux user field sets the SELinux user to use for unmapped FreeIPA users.
  4. Click the Update link at the top of the page to save the changes.

15.2.2. In the CLI

Before SELinux mapping rules can be created, there has to be a defined and universal list of SELinux users which are available to be mapped. This is set in the FreeIPA server configuration:
[jsmith@server ~]$ ipa config-show
...				
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: guest_u:s0
The SELinux user settings can be edited using the config-mod command.
Example 15.1. List of SELinux Users
The complete list of SELinux users is passed in the --ipaselinuxusermaporder option. This list sets a priority order, from most to least confined users.
The SELinux user entry itself has this format:
SELinux_user:MLS:MCS
The individual user entries are separated with a dollar sign ($).
For example:
[jsmith@server ~]$ ipa config-mod --ipaselinuxusermaporder="guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023"

NOTE

The default SELinux user, used for unmapped entries, must be included in the user map list or the edit operation fails. Likewise, if the default is edited, it must be changed to a user in the SELinux map list or the map list must be updated first.
Example 15.2. Default SELinux User
FreeIPA users are not required to have a specific SELinux user mapped to their account. However, the local system still checks the FreeIPA entry for an SELinux user to use for the FreeIPA user account. The default SELinux user sets the fallback user to use for unmapped FreeIPA user entries; this is, by default, a relatively confined user such as guest_u.
This default user can be changed with the --ipaselinuxusermapdefault. For example:
[jsmith@server ~]$ ipa config-mod --ipaselinuxusermapdefault="guest_u:s0"