24.3. Mapping SELinux Users and IdM Users

An SELinux map associates an SELinux user context on a local system with an IdM user (or users) within the domain. An SELinux map has three parts: the SELinux user context and an IdM user/host pairing. That IdM user/host pair can be defined in one of two ways: it can be set for explicit users on explicit hosts (or user and host groups), or it can be defined using a host-based access control rule.

24.3.1. In the Web UI

  1. In the top menu, click the Policy main tab and the SELinux User Mappings subtab.
  2. In the list of mappings, click the Add button to create a new map.
  3. Enter the name for the map and the SELinux user exactly as it appears in the IdM server configuration. SElinux users have the format SELinux_username:MLS[:MCS].
  4. Click Add and Edit to add the IdM user information.
  5. To set a host-based access control rule, select the rule from the drop-down menu in the General area of the configuration. Using a host-based access control rule also introduces access controls on what hosts a remote user can use to access a target machine. Only one host-based access control rule can be assigned.

    Note

    The host-based access control rule must contain users and hosts, not just services.
    Alternatively, scroll down the Users and Hosts areas, and click the Add link to assign users, user groups, hosts, or host groups to the SELinux map.
    Select the users (or hosts or groups) on the left, click the right arrows button (>>) to move them to the Prospective column, and click the Add button to add them to the rule.

    Note

    Either a host-based access control rule can be given or the users and hosts can be set manually. Both options cannot be used at the same time.
  6. Click the Update link at the top to save the changes to the SELinux user map.

24.3.2. In the CLI

An SELinux map rule has three fundamental parts:
  • The SELinux user (--selinuxuser)
  • The user or user groups which are associated with the SELinux user (--users or --groups)
  • The host or host groups which are associated with the SELinux user (--hosts or --hostgroups)
  • Alternatively, a host-based access control rule which specifies both hosts and users in it (--hbacrule)
A rule can be created with all information at once using the selinuxusermap-add command. Users and hosts can be added to a rule after it is created by using the selinuxusermap-add-user and selinuxusermap-add-host commands, respectively.

Example 24.3. Creating a New SELinux Map

The --selinuxuser value must be the SELinux user name exactly as it appears in the IdM server configuration. SElinux users have the format SELinux_username:MLS[:MCS].
Both a user and a host (or appropriate groups) must be specified for the SELinux mapping to be valid. Users, hosts, or groups can be specified in comma-separated lists. 
[jsmith@server ~]$ ipa selinuxusermap-add --users=jsmith,bjensen,jrockford --hosts=server.example.com,test.example.com --selinuxuser="xguest_u:s0" selinux1

Example 24.4. Creating an SELinux Map with a Host-Based Access Control Rule

The --hbacrule value identifies the host-based access control rule to use for mapping. Using a host-based access control rule introduces access controls on what hosts a remote user can use to access a target machine, along with applying SELinux contexts after the remote user has logged into the target machine.
The access control rule must specify both users and hosts appropriately so that the SELinux map can construct the SELinux user, IdM user, and host triple.
Only one host-based access control rule can be specified. 
[jsmith@server ~]$ ipa selinuxusermap-add --hbacrule=webserver --selinuxuser="xguest_u:s0" selinux1
Host-based access control rules are described in Chapter 22, Policy: Configuring Host-Based Access Control.

Example 24.5. Adding a User to an SELinux Map

While all of the users and hosts can be added to a map when it is created, users and hosts can also be added after the rule is created. This is done using a specific command, either selinuxusermap-add-user or selinuxusermap-add-host. 
[jsmith@server ~]$ ipa selinuxusermap-add-user --users=jsmith selinux1
It is not necessary to use a separate command to add a host-based access control rule after the rule is configured because there can only be one. If the selinuxusermap-mod command is used with the --hbacrule option, it adds the host-based access control rule or overwrites the previous one.

Example 24.6. Removing a User from an SELinux Map

A specific user or host can be removed from an SELinux map by using either the selinuxusermap-remove-host or selinuxusermap-remove-user command. For example: 
[jsmith@server ~]$ ipa selinuxusermap-remove-user --users=jsmith selinux1