Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

32.3. Mapping SELinux Users and IdM Users

An SELinux map associates an SELinux user context on a local system with an IdM user, or users, within the domain. An SELinux map has three parts: the SELinux user context and an IdM user-host pairing. The IdM user-host pair can be defined in one of two ways: it can be set for explicit users, or user groups, on explicit hosts, or host groups; or it can be defined using a host-based access control rule.

32.3.1. In the Web UI
Link kopieren

  1. In the top menu, click the Policy main tab and the SELinux User Mappings subtab.
  2. In the list of mappings, click the Add button to create a new map.
    View larger image
  3. Enter the name for the map and the SELinux user. The format of the SELinux user has to be identical with how it appears in the IdM server configuration. SELinux users have the format SELinux_user:MLS[:MCS].
    View larger image
  4. Click Add and Edit to add the IdM user information.
  5. To set a host-based access control rule, select the rule from the drop-down menu in the General area of the configuration. Using a host-based access control rule also introduces access controls on what hosts a remote user can use to access a target machine. Only one host-based access control rule can be assigned.
    Note
    The host-based access control rule must contain users and hosts, not just services.
    View larger image
    Alternatively, scroll down the Users and Hosts areas, and click the Add link to assign users, user groups, hosts, or host groups to the SELinux map.
    View larger image
    Select the users (or hosts or groups) on the left, click the right arrows button (>>) to move them to the Prospective column, and click the Add button to add them to the rule.
    View larger image
    Note
    Only one option can be used: either a host-based access control rule can be given or the users and hosts can be set manually. Both options cannot be used at the same time.
  6. Click the Update link at the top to save the changes to the SELinux user map.

32.3.2. In the CLI
Link kopieren

An SELinux map rule has three fundamental parts:
  • The SELinux user: --selinuxuser
  • The user or user groups which are associated with the SELinux user: --users or --groups
  • The host or host groups which are associated with the SELinux user: --hosts or --hostgroups
  • Alternatively, a host-based access control rule which specifies both hosts and users in it: --hbacrule
A rule can be created with all information at once using the selinuxusermap-add command. Users and hosts can be added to a rule after it is created by using the selinuxusermap-add-user and selinuxusermap-add-host commands, respectively.

Example 32.3. Creating a New SELinux Map

The --selinuxuser value must be the SELinux user name exactly as it appears in the IdM server configuration. SELinux users have the format SELinux_user:MLS[:MCS].
The user, or user group; and the host, or host group must be specified for the SELinux mapping to be valid. The user, host, and group options can be used multiple times or can be used once with a comma-separated listed inside curly braces, for example --option={val1,val2,val3}. 
[user1@server ~]$ ipa selinuxusermap-add --selinuxuser="xguest_u:s0" selinux1
[user1@server ~]$ ipa selinuxusermap-add-user --users=user1 --users=user2 --users=user3 selinux1
[user1@server ~]$ ipa selinuxusermap-add-host --hosts=server.example.com --hosts=test.example.com selinux1
Copy to Clipboard Toggle word wrap

Example 32.4. Creating an SELinux Map with a Host-Based Access Control Rule

The --hbacrule value identifies the host-based access control rule to use for mapping. Using a host-based access control rule introduces access controls on what hosts a remote user can use to access a target machine, along with applying SELinux contexts after the remote user has logged into the target machine.
The access control rule must specify both users and hosts appropriately so that the SELinux map can construct the SELinux user, IdM user, and host triple.
Only one host-based access control rule can be specified. 
[user1@server ~]$ ipa selinuxusermap-add --hbacrule=webserver --selinuxuser="xguest_u:s0" selinux1
Copy to Clipboard Toggle word wrap
Host-based access control rules are described in Chapter 31, Configuring Host-Based Access Control.

Example 32.5. Adding a User to an SELinux Map

Users and hosts can be added to an already existing map. This is done using a specific command, either selinuxusermap-add-user or selinuxusermap-add-host. 
[user1@server ~]$ ipa selinuxusermap-add-user --users=user1 selinux1
Copy to Clipboard Toggle word wrap
If the selinuxusermap-mod command is used with the --hbacrule option to modify an already existing SELinux map, the new SELinux map overwrites the previous SELinux map.

Example 32.6. Removing a User from an SELinux Map

A specific user or host can be removed from an SELinux map by using either the selinuxusermap-remove-host or selinuxusermap-remove-user command. For example: 
[user1@server ~]$ ipa selinuxusermap-remove-user --users=user2 selinux1
Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben