32.2. Configuring SELinux User Map Order and Defaults
An SELinux user map is the association between an SELinux user on a client and an IdM user.
The available SELinux user map order is part of the IdM server configuration. The SELinux user map order is a list of the SELinux users, in an order from the most to the least confined. The SELinux user entry itself has this format:
The individual user entries are separated with a dollar sign ($).
Since there is no requirement on user entries to have an SELinux map, many entries might be unmapped. The IdM server configuration sets a default SELinux user, one of the users from the total SELinux map list, to use for unmapped IdM user entries. This way, even unmapped IdM users have a functional SELinux context. The default SELinux user for unmapped IdM user entries is
unconfined_u, the default SELinux user for system users on Red Hat Enterprise Linux.
This configuration defines the map order of available system SELinux users. This does not define any IdM user SELinux policies. The IdM user - SELinux user map must be defined and then users are added to the map. For details, see Section 32.3, “Mapping SELinux Users and IdM Users”.
32.2.1. In the Web UI
- In the top menu, click the IPA Server main tab and the Configuration subtab.
- Scroll to the bottom of the list of server configuration areas, to SELINUX OPTIONS.
- Edit the SELinux user configuration, the SELinux user map order, the Default SELinux user, or both.
- Click the Update link at the top of the page to save the changes.
32.2.2. In the CLI
To view the list of SELinux users, set in the IdM server configuration, which are available to be mapped:
[user1]@server ~]$ ipa config-show ... SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023
To edit the SELinux user settings, use the config-mod command:
Example 32.1. List of SELinux Users
To edit the list of SELinux users to be available for mapping, use the
--ipaselinuxusermaporderoption. The list orders the SELinux users from the most to the least confined, for example:
[user1@server ~]$ ipa config-mod --ipaselinuxusermaporder="unconfined_u:s0-s0:c0.c1023$guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023"
The default SELinux user, used for unmapped entries, must be included in the user map list or the edit operation fails. Likewise, if the default is edited, it must be changed to a user in the SELinux map list or the map list must be updated first.
Example 32.2. Default SELinux User
IdM users are not required to have a specific SELinux user mapped to their account. However, the local system still checks the IdM entry for an SELinux user to use for the IdM user account.
To modify the default SELinux user, use the
--ipaselinuxusermapdefaultoption. For example:
[user1@server ~]$ ipa config-mod --ipaselinuxusermapdefault="guest_u:s0"