24.3. Mapping SELinux Users and IdM Users
24.3.1. In the Web UI
- In the top menu, click the Policy main tab and the SELinux User Mappings subtab.
- In the list of mappings, click thebutton to create a new map.
- Enter the name for the map and the SELinux user exactly as it appears in the IdM server configuration. SElinux users have the format SELinux_username:MLS[:MCS].
- Clickto add the IdM user information.
- To set a host-based access control rule, select the rule from the drop-down menu in the General area of the configuration. Using a host-based access control rule also introduces access controls on what hosts a remote user can use to access a target machine. Only one host-based access control rule can be assigned.
NoteThe host-based access control rule must contain users and hosts, not just services.Alternatively, scroll down the Users and Hosts areas, and click the Add link to assign users, user groups, hosts, or host groups to the SELinux map.Select the users (or hosts or groups) on the left, click the right arrows button (Prospective column, and click the button to add them to the rule.) to move them to the
NoteEither a host-based access control rule can be given or the users and hosts can be set manually. Both options cannot be used at the same time.
- Click the Update link at the top to save the changes to the SELinux user map.
24.3.2. In the CLI
- The SELinux user (
- The user or user groups which are associated with the SELinux user (
- The host or host groups which are associated with the SELinux user (
- Alternatively, a host-based access control rule which specifies both hosts and users in it (
selinuxusermap-addcommand. Users and hosts can be added to a rule after it is created by using the
Example 24.3. Creating a New SELinux Map
--selinuxuservalue must be the SELinux user name exactly as it appears in the IdM server configuration. SElinux users have the format SELinux_username:MLS[:MCS].
[jsmith@server ~]$ ipa selinuxusermap-add --users=jsmith,bjensen,jrockford --hosts=server.example.com,test.example.com --selinuxuser="xguest_u:s0" selinux1
Example 24.4. Creating an SELinux Map with a Host-Based Access Control Rule
--hbacrulevalue identifies the host-based access control rule to use for mapping. Using a host-based access control rule introduces access controls on what hosts a remote user can use to access a target machine, along with applying SELinux contexts after the remote user has logged into the target machine.
[jsmith@server ~]$ ipa selinuxusermap-add --hbacrule=webserver --selinuxuser="xguest_u:s0" selinux1
Example 24.5. Adding a User to an SELinux Map
[jsmith@server ~]$ ipa selinuxusermap-add-user --users=jsmith selinux1
selinuxusermap-modcommand is used with the
--hbacruleoption, it adds the host-based access control rule or overwrites the previous one.
Example 24.6. Removing a User from an SELinux Map
selinuxusermap-remove-usercommand. For example:
[jsmith@server ~]$ ipa selinuxusermap-remove-user --users=jsmith selinux1