Description
SELinux user mapping provides a set of rules that maps a user to an SELinux context based on the machine being logged in to. These can leverage existing HBAC rules for the list of users and hosts so the lists don't need to be maintained in two places.
Setup
- Make sure you have a working FreeIPA server
- Enroll a client with this IPA server
How to test
How to Test
The assumption is that on the IPA server you have already gotten a Kerberos ticket before running the commands.
# kinit admin
You may see this error when logging into remote servers:
Could not chdir to home directory /home/admin: No such file or directory
This is because home directories are not created by default. It can be ignored.
Get the current configuration
On the server:
# ipa config-show
Note the default SELinux user and the map order. The order defines the access from least to greatest.
Test the baseline
Get a ticket and ssh from the server to the client to get the baseline context:
# ssh ipaclient.example.com id -Z
Note the context, it should match the default SELinux context in the IPA config.
Create and test a single rule
# ipa selinuxusermap-add --usercat=all --hostcat=all --selinuxuser=guest_u:s0 test1 # ssh ipaclient.example.com id -Z
Context should be guest_u
Add another rule to test rule ordering
A more specific rule should override a less specific rule, so add a rule for this user on this host.
# ipa selinuxusermap-add --selinuxuser=xguest_u:s0 test2 # ipa selinuxusermap-add-user --users=admin test2 # ipa selinuxusermap-add-host --hosts=ipaclient.example.com test2 # ssh ipaclient.example.com id -Z
Context should be xguest_u
Test HBAC rules
An HBAC rule can be used as the source of user/host information:
# ipa hbacrule-add hbacrule1 # ipa hbacrule-add-user --users=admin hbacrule1 # ipa hbacrule-add-host --hosts=ipaclient.example.com hbacrule1 # ipa selinuxusermap-add --selinuxuser=user_u:s0-s0:c0.c1023 --hbacrule=hbacrule1 test3 # ssh ipaclient.example.com id -Z
Context should be user_u
Test disabling a rule
# ipa selinuxusermap-disable test3 # sh ipaclient.example.com id -Z
Context should be xguest_u (from rule test2)
Expected Results
All the test steps should end with the specified results.