From Fedora Project Wiki

Description

SELinux user mapping provides a set of rules that maps a user to an SELinux context based on the machine being logged in to. These can leverage existing HBAC rules for the list of users and hosts so the lists don't need to be maintained in two places.

Setup

  • Make sure you have a working FreeIPA server
  • Enroll a client with this IPA server

How to test

How to Test

The assumption is that on the IPA server you have already gotten a Kerberos ticket before running the commands.

# kinit admin

You may see this error when logging into remote servers:

Could not chdir to home directory /home/admin: No such file or directory

This is because home directories are not created by default. It can be ignored.

Get the current configuration

On the server:

# ipa config-show

Note the default SELinux user and the map order. The order defines the access from least to greatest.

Test the baseline

Get a ticket and ssh from the server to the client to get the baseline context:

# ssh ipaclient.example.com id -Z

Note the context, it should match the default SELinux context in the IPA config.

Create and test a single rule

# ipa selinuxusermap-add --usercat=all --hostcat=all --selinuxuser=guest_u:s0 test1
# ssh ipaclient.example.com id -Z

Context should be guest_u

Add another rule to test rule ordering

A more specific rule should override a less specific rule, so add a rule for this user on this host.

# ipa selinuxusermap-add --selinuxuser=xguest_u:s0 test2
# ipa selinuxusermap-add-user --users=admin test2
# ipa selinuxusermap-add-host --hosts=ipaclient.example.com test2
# ssh ipaclient.example.com id -Z

Context should be xguest_u

Test HBAC rules

An HBAC rule can be used as the source of user/host information:

# ipa hbacrule-add hbacrule1
# ipa hbacrule-add-user --users=admin hbacrule1
# ipa hbacrule-add-host --hosts=ipaclient.example.com hbacrule1
# ipa selinuxusermap-add  --selinuxuser=user_u:s0-s0:c0.c1023 --hbacrule=hbacrule1 test3
# ssh ipaclient.example.com id -Z

Context should be user_u

Test disabling a rule

# ipa selinuxusermap-disable test3
# ssh ipaclient.example.com id -Z

Context should be xguest_u (from rule test2)

Expected Results

All the test steps should end with the specified results.