Skip to content

Latest commit

 

History

History
141 lines (109 loc) · 5.01 KB

9-selinux-user-map.rst

File metadata and controls

141 lines (109 loc) · 5.01 KB

Unit 9: SELinux User Maps

Prerequisites:

SELinux is a mandatory access controls mechanism for Linux, providing more powerful and flexible access control than traditional Unix permissions. Users have an SELinux context consisting of a user, role and type. In this unit, you will cause users to be confined by an SELinux role-based access control (RBAC) policy when the log into hosts that are members of the webservers Host Group. You will also learn how to change a user's SELinux context when they execute commands via Sudo.

Note: SELinux contexts are applied during PAM-based login, so when testing our changes in this unit su -l <user> will not suffice: it is necessary to log in via SSH. You can do this from any of the VMs (even client itself).

Confining users

Log in as alice and run id -Z to see her current SELinux context:

[alice@client]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

alice is currently unconfined. We want her to be confined to the staff_u context when she logs in, to limit the impact of an account compromise.

SELinux User Maps can refer to users and hosts directly, or they can inherit the users and hosts of an existing HBAC rule. Because access control is defined by HBAC, it is a good administration practice to link SELinux User Maps to HBAC rules, so that when users or hosts are added to the HBAC rule, the correct SELinux context will automatically be used.

Recall that members of the sysadmin User Group already have access to webservers via the sysadmin_webservers rule that was created in Unit 4: Host-based access control (HBAC). Create the SELinux User Map:

[client]$ ipa selinuxusermap-add sysadmin_staff_t \
    --hbacrule sysadmin_webservers --selinuxuser staff_u:s0-s0:c0.c1023
-----------------------------------------
Added SELinux User Map "sysadmin_staff_t"
-----------------------------------------
  Rule name: sysadmin_staff_t
  SELinux User: staff_u:s0-s0:c0.c1023
  HBAC Rule: sysadmin_webservers
  Enabled: TRUE

Now login in as alice over SSH and observe that she is confined by the staff_u