Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

32.2. Configuring SELinux User Map Order and Defaults

An SELinux user map is the association between an SELinux user on a client and an IdM user.
The available SELinux user map order is part of the IdM server configuration. The SELinux user map order is a list of the SELinux users, in an order from the most to the least confined. The SELinux user entry itself has this format:
SELinux_user:MLS[:MCS]
The individual user entries are separated with a dollar sign ($).
Since there is no requirement on user entries to have an SELinux map, many entries might be unmapped. The IdM server configuration sets a default SELinux user, one of the users from the total SELinux map list, to use for unmapped IdM user entries. This way, even unmapped IdM users have a functional SELinux context. The default SELinux user for unmapped IdM user entries is unconfined_u, the default SELinux user for system users on Red Hat Enterprise Linux.
This configuration defines the map order of available system SELinux users. This does not define any IdM user SELinux policies. The IdM user - SELinux user map must be defined and then users are added to the map. For details, see Section 32.3, “Mapping SELinux Users and IdM Users”.

32.2.1. In the Web UI

  1. In the top menu, click the IPA Server main tab and the Configuration subtab.
  2. Scroll to the bottom of the list of server configuration areas, to SELINUX OPTIONS.
  3. Edit the SELinux user configuration, the SELinux user map order, the Default SELinux user, or both.
  4. Click the Update link at the top of the page to save the changes.

32.2.2. In the CLI

To view the list of SELinux users, set in the IdM server configuration, which are available to be mapped:
[user1]@server ~]$ ipa config-show
...
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
To edit the SELinux user settings, use the config-mod command:

Example 32.1. List of SELinux Users

To edit the list of SELinux users to be available for mapping, use the --ipaselinuxusermaporder option. The list orders the SELinux users from the most to the least confined, for example:
[user1@server ~]$ ipa config-mod --ipaselinuxusermaporder="unconfined_u:s0-s0:c0.c1023$guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023"

Note

The default SELinux user, used for unmapped entries, must be included in the user map list or the edit operation fails. Likewise, if the default is edited, it must be changed to a user in the SELinux map list or the map list must be updated first.

Example 32.2. Default SELinux User

IdM users are not required to have a specific SELinux user mapped to their account. However, the local system still checks the IdM entry for an SELinux user to use for the IdM user account.
To modify the default SELinux user, use the --ipaselinuxusermapdefault option. For example:
[user1@server ~]$ ipa config-mod --ipaselinuxusermapdefault="guest_u:s0"