Unit 9: SELinux User Maps¶
Prerequisites:
SELinux is a mandatory access controls mechanism for Linux,
providing more powerful and flexible access control than traditional
Unix permissions. Users have an SELinux context consisting of a
user, role and type. In this unit, you will cause users
to be confined by an SELinux role-based access control (RBAC)
policy when the log into hosts that are members of the
webservers
Host Group. You will also learn how to change a
user's SELinux context when they execute commands via Sudo.
Note: SELinux contexts are applied during PAM-based login, so
when testing our changes in this unit su -l <user>
will not
suffice: it is necessary to log in via SSH. You can do this from
any of the VMs (even client
itself).
Confining users¶
Log in as alice
and run id -Z
to see her current SELinux
context:
[alice@client]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
alice
is currently unconfined. We want her to be confined to
the staff_u
context when she logs in, to limit the impact of an
account compromise.
SELinux User Maps can refer to users and hosts directly, or they can inherit the users and hosts of an existing HBAC rule. Because access control is defined by HBAC, it is a good administration practice to link SELinux User Maps to HBAC rules, so that when users or hosts are added to the HBAC rule, the correct SELinux context will automatically be used.
Recall that members of the sysadmin
User Group already have
access to webservers
via the sysadmin_webservers
rule that
was created in Unit 4: Host-based access control (HBAC). Create
the SELinux User Map:
[client]$ ipa selinuxusermap-add sysadmin_staff_t \
--hbacrule sysadmin_webservers --selinuxuser staff_u:s0-s0:c0.c1023
-----------------------------------------
Added SELinux User Map "sysadmin_staff_t"
-----------------------------------------
Rule name: sysadmin_staff_t
SELinux User: staff_u:s0-s0:c0.c1023
HBAC Rule: sysadmin_webservers
Enabled: TRUE
Now login in as alice
over SSH and observe that she is confined
by the staff_u
policy:
[server]$ ssh alice@client.ipademo.local
alice@client.ipademo.local's password:
Last login: Fri Sep 2 05:47:03 2016
[alice@client]$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Note: in production use you should ensure that only one HBAC rule allows access for a given user/host/SELinux User Map combination. Only one SELinux policy will be applied, and if multiple policies match, the winning policy may be chosen inconsistently.
Unconfined sudo
¶
alice
is now confined by the staff_u
policy, but being a
sysadmin
she needs to be unconfined when running commands via
sudo
. With the current configuration, commands run via sudo
inherit a user's context, as the following commands demonstrate:
[alice@client]$ sudo -s
[sudo] password for alice:
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
sh-4.4# echo "Hello, world!" > /etc/motd
sh: /etc/motd: Permission denied
As you can see, alice
became root
, but the SELinux
confinement prevents her from writing /etc/motd
(and many other
things). Let's make it so that alice
can do her job. We need
to update the Sudo rule to change the SELinux context:
[alice@client]$ ipa sudorule-add-option sysadmin_sudo --sudooption type=unconfined_t
-------------------------------------------------------------
Added option "type=unconfined_t" to Sudo Rule "sysadmin_sudo"
-------------------------------------------------------------
Rule name: sysadmin_sudo
Enabled: TRUE
Host category: all
Command category: all
RunAs User category: all
RunAs Group category: all
Sudo Option: type=unconfined_t
[alice@client]$ ipa sudorule-add-option sysadmin_sudo --sudooption role=unconfined_r
-------------------------------------------------------------
Added option "role=unconfined_r" to Sudo Rule "sysadmin_sudo"
-------------------------------------------------------------
Rule name: sysadmin_sudo
Enabled: TRUE
Host category: all
Command category: all
RunAs User category: all
RunAs Group category: all
Sudo Option: type=unconfined_t, role=unconfined_r
Now when alice
runs sudo
it changes the SELinux context of
the program being run:
[alice@client]$ sudo -s
sh-4.4# id -Z
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.4# echo "Hello, world!" > /etc/motd
sh-4.4# cat /etc/motd
Hello, world!
This concludes the unit. You can now proceed to Unit 10: SSH user and host key management or return to the curriculum overview to see all the available topics.