Product SiteDocumentation Site

15.3. Mapping SELinux Users and FreeIPA Users

An SELinux map associates an SELinux user with an FreeIPA user (or users). However, SELinux settings are local to each host system, so a map not only needs to map the SELinux user with an FreeIPA user but also with a host system.
The rule definition primarily identifies the SELinux user; the SELinux user is the basis of the rule.
The other half of the map is comprised of defined FreeIPA users and defined FreeIPA hosts. (There can be one single user or host or multiple users and hosts or user and host groups in the map.) The users and hosts can be defined either by explicitly listing users and hosts or by referencing a host-based access control rule.

NOTE

The host-based access control rule must contain users and hosts, not just services.

15.3.1. In the Web UI

  1. In the top menu, click the Policy main tab and the SELinux User Mappings subtab.
  2. In the list of mappings, click the Add button to create a new map.
  3. Enter the name for the map and the SELinux user exactly as it appears in the FreeIPA server configuration. SElinux users have the format SELinux_username:MLS[:MCS].
  4. Click Add and Edit to add the FreeIPA user information.
  5. As described in the introduction, an SELinux map has three parts: the SELinux user and an FreeIPA user/host pairing. That FreeIPA user/host pair can be defined in one of two ways: it can be set for explicit users on explicit hosts, or it can be defined using a host-based access control rule.
    To set a host-based access control rule, select the rule from the drop-down menu in the General area of the configuration. Using a host-based access control rule also introduces access controls on what hosts a remote user can use to access a target machine. Only one host-based access control rule can be set.
    Alternatively, scroll down the Users and Hosts areas, and click the Add link to assign users, user groups, hosts, or host groups to the SELinux map.
    Select the users (or hosts or groups) on the left, click the right arrows button (>>) to move them to the Prospective column, and click the Add button to add them to the rule.

    NOTE

    Either a host-based access control rule can be given or the users and hosts can be set manually. Both options cannot be used at the same time.
  6. Click the Update link at the top to save the changes to the SELinux user map.

15.3.2. In the CLI

An SELinux map rule has three fundamental parts:
  • The SELinux user (--selinuxuser)
  • The user or user groups which are associated with the SELinux user (--users or --groups)
  • The host or host groups which are associated with the SELinux user (--hosts or --hostgroups)
  • Alternatively, a host-based access control rule which specifies both hosts and users in it (--hbacrule)
A rule can be created with all information at once using the selinuxusermap-add command. Users and hosts can be added to a rule after it is created by using the selinuxusermap-add-user and selinuxusermap-add-host commands, respectively.
Example 15.3. Creating a New SELinux Map
The --selinuxuser value must be the SELinux user name exactly as it appears in the FreeIPA server configuration. SElinux users have the format SELinux_username:MLS[:MCS].
Both a user and a host (or appropriate groups) must be specified for the SELinux mapping to be valid. Users, hosts, or groups can be specified in comma-separated lists.
[jsmith@server ~]$ ipa selinuxusermap-add --users=jsmith,bjensen,jrockford --hosts=server.example.com,test.example.com --selinuxuser="xguest_u:s0" selinux1

Example 15.4. Creating an SELinux Map with a Host-Based Access Control Rule
The --hbacrule value identifies the host-based access control rule to use for mapping. Using a host-based access control rule introduces access controls on what hosts a remote user can use to access a target machine, along with applying SELinux contexts after the remote user as logged into the target machine.
The access control rule must specify both users and hosts appropriately so that the SELinux map can construct the SELinux user, FreeIPA user, and host triple.
Only one host-based access control rule can be specified.
[jsmith@server ~]$ ipa selinuxusermap-add --hbacrule=webserver --selinuxuser="xguest_u:s0" selinux1
Host-based access control rules are described in Chapter 14, Policy: Configuring Host-Based Access Control.

Example 15.5. Adding a User to an SELinux Map
While all of the users and hosts can be added to a map when it is created, users and hosts can also be added after the rule is created. This is done using a specific command, either selinuxusermap-add-user or selinuxusermap-add-host.
[jsmith@server ~]$ ipa selinuxusermap-add-user --users=jsmith selinux1
It is not necessary to use a separate command to add a host-based access control rule after the rule is configured because there can only be one. If the selinuxusermap-mod command is used with the --hbacrule option, it adds the host-based access control rule or overwrites the previous one.

A specific user or host can be removed from an SELinux map by using either the selinuxusermap-remove-host or selinuxusermap-remove-user command.
Example 15.6. Removing a User from an SELinux Map
As with adding a user to a ion> value identifies the host-based access control rule to use for mapping. The access control rule must specify both users and hosts appropriately so that the SELinux map can construct the SELinux user, FreeIPA user, and host triple.
[jsmith@server ~]$ ipa selinuxusermap-remove-user --users=jsmith selinux1