Product SiteDocumentation Site

Chapter 15. Policy: Defining SELinux User Maps

15.1. About FreeIPA, SELinux, and Mapping Users
15.2. Configuring SELinux Users in FreeIPA
15.2.1. In the Web UI
15.2.2. In the CLI
15.3. Mapping SELinux Users and FreeIPA Users
15.3.1. In the Web UI
15.3.2. In the CLI
15.4. Troubleshooting SELinux Login Problems
Security-enhanced Linux (SELinux) sets rules over what system users can access processes, files, directories, and system settings. Both the system administrator and applications themselves can define security contexts that restrict or allow user access and even access from other applications.
As part of defining centralized security policies in the FreeIPA domain, FreeIPA provides a way to map FreeIPA users to SELinux users and automatically grant or restrict access to clients and services within the FreeIPA domain, per host, based on the defined SELinux policies.

15.1. About FreeIPA, SELinux, and Mapping Users

Security-enhanced Linux defines kernel-level, mandatory access controls for how users, processes, and applications can interact with other resources on a system. These rules for interactions, called contexts, look at the data and behavior characteristics of different objects on the system and then set rules, called policies, which create contexts based on the security implications of each specific object. This is in contrast to higher-level discretionary access controls which are concerned primarily with file ownership and user identity, without accounting for data criticality or applciation behavior.
System users are associated with an SELinux role. The role is assigned both a multi-layer security context (MLS) a multi-category security context (MCS). The MLS/MCS contexts confine users to what processes, files, and operations they can access on the system.
SELinux Users in the SELinux Manager
Figure 15.1. SELinux Users in the SELinux Manager

This is all described in detail in Red Hat Enterprise Linux 6 Security-Enhanced Linux.
SELinux users and policies function at the system level, not the network level. This means that SELinux users are configured independently on each system. While this is acceptable in many situations — SELinux has common defined system users and SELinux-aware services define their own policies — it has some issues when dealing with remote users and systems that access local resources. Remote users and services can get shuffled into a default guest context without a lot of intelligence about what their actual SELinux user and role should be.
This is how FreeIPA can cleanly integrate an identity domain with local SELinux services. FreeIPA can map FreeIPA users to configured SELinux roles per host. Mapping SELinux and FreeIPA users improves user administration:
  • Remote users can be granted appropriate SELinux user contexts based on their FreeIPA group assignments. This also allows administrators to consistently apply the same policies to the same users without having to create local accounts or reconfigure SELinux.
  • SELinux users are automatically updated as hosts are added to the IT environment or as users are added, removed, or changed, without having to edit local systems.
  • SELinux policies can be planned and related to domain-wide security policies through settings like FreeIPA host-based access control rules.
  • Administrators gain environment-wide visibility and control over how users and systems are assigned in SELinux.
SELinux user maps are comprised of three parts: the SELinux user for the system, an FreeIPA user, and an FreeIPA host. These define two separate relationships. First, it defines a map for the SELinux user on a specific host (the local or target system). Second, it defines a map for the SELinux user and the FreeIPA user.
This arrangement allows administrators to set different SELinux users for the same FreeIPA users, depending on which host they are accessing.
SELinux user maps work with the Systerm Security Services Daemon (SSSD) and the pam_selinux module. When a remote user attempts to log into a machine, SSSD checks its FreeIPA identity provider to collect the user information, including any SELinux maps. The PAM module then processes the user and assigns it the appropriate SELinux user context.
The core of an SElinux mapping rule is the SELinux system user. Each map is associated with the SELinux user first. The SELinux users which are available for mapping are configured in the FreeIPA server, so there is a central and universal list. These are SELinux users which are configured on every host in the FreeIPA domain. By default, there are five common SELinux users defined:
  • guest_u (also used as a default for FreeIPA users)
  • xguest_u
  • user_u
  • staff_u
  • unconfined_u
In the FreeIPA server configuration, each SELinux user is configured with both its username and its MLS/MCS range, SELinux_username:MLS[:MCS], and this format is used to identify the SELinux user when configuring maps.
The FreeIPA user and host configuration is very flexible. Users and hosts can be explicitly and individually assigned to an SELinux user map individually, or user groups or host groups can be explicitly assigned to the map.
An extra layer of security is possible by using host-based access control rules. As long as the host-based access control rule defines a user and a host, it can be used for an SELinux user map. Host-based access control rules (described in Chapter 14, Policy: Configuring Host-Based Access Control) help integrate SELinux user maps with other access controls in FreeIPA and can help limit or allow host-based user access for remote users, as well as defining local security contexts.


If a host-based access control rule is associated with an SELinux user map, the host-based access control rule cannot be deleted until it is removed from the SELinux user map configuration.