Prerequisites:
- Unit 3: User management and Kerberos authentication
- Unit 4: Host-based access control (HBAC)
- Unit 8: Sudo rule management
SELinux is a mandatory access controls mechanism for Linux,
providing more powerful and flexible access control than traditional
Unix permissions. Users have an SELinux context consisting of a
user, role and type. In this unit, you will cause users
to be confined by an SELinux role-based access control (RBAC)
policy when the log into hosts that are members of the
webservers
Host Group. You will also learn how to change a
user's SELinux context when they execute commands via Sudo.
Note: SELinux contexts are applied during PAM-based login, so
when testing our changes in this unit su -l <user>
will not
suffice: it is necessary to log in via SSH. You can do this from
any of the VMs (even client
itself).
Log in as alice
and run id -Z
to see her current SELinux
context:
[alice@client]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
alice
is currently unconfined. We want her to be confined to
the staff_u
context when she logs in, to limit the impact of an
account compromise.
SELinux User Maps can refer to users and hosts directly, or they can inherit the users and hosts of an existing HBAC rule. Because access control is defined by HBAC, it is a good administration practice to link SELinux User Maps to HBAC rules, so that when users or hosts are added to the HBAC rule, the correct SELinux context will automatically be used.
Recall that members of the sysadmin
User Group already have
access to webservers
via the sysadmin_webservers
rule that
was created in Unit 4: Host-based access control (HBAC). Create
the SELinux User Map:
[client]$ ipa selinuxusermap-add sysadmin_staff_t \ --hbacrule sysadmin_webservers --selinuxuser staff_u:s0-s0:c0.c1023 ----------------------------------------- Added SELinux User Map "sysadmin_staff_t" ----------------------------------------- Rule name: sysadmin_staff_t SELinux User: staff_u:s0-s0:c0.c1023 HBAC Rule: sysadmin_webservers Enabled: TRUE
Now login in as alice
over SSH and observe that she is confined
by the staff_u