32.2. Configuring SELinux User Map Order and Defaults

download PDF
An SELinux user map is the association between an SELinux user on a client and an IdM user.
The available SELinux user map order is part of the IdM server configuration. The SELinux user map order is a list of the SELinux users, in an order from the most to the least confined. The SELinux user entry itself has this format:
The individual user entries are separated with a dollar sign ($).
Since there is no requirement on user entries to have an SELinux map, many entries might be unmapped. The IdM server configuration sets a default SELinux user, one of the users from the total SELinux map list, to use for unmapped IdM user entries. This way, even unmapped IdM users have a functional SELinux context. The default SELinux user for unmapped IdM user entries is unconfined_u, the default SELinux user for system users on Red Hat Enterprise Linux.
This configuration defines the map order of available system SELinux users. This does not define any IdM user SELinux policies. The IdM user - SELinux user map must be defined and then users are added to the map. For details, see Section 32.3, “Mapping SELinux Users and IdM Users”.

32.2.1. In the Web UI

  1. In the top menu, click the IPA Server main tab and the Configuration subtab.
  2. Scroll to the bottom of the list of server configuration areas, to SELINUX OPTIONS.
  3. Edit the SELinux user configuration, the SELinux user map order, the Default SELinux user, or both.
  4. Click the Update link at the top of the page to save the changes.

32.2.2. In the CLI

To view the list of SELinux users, set in the IdM server configuration, which are available to be mapped:
[user1]@server ~]$ ipa config-show
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
To edit the SELinux user settings, use the config-mod command:

Example 32.1. List of SELinux Users

To edit the list of SELinux users to be available for mapping, use the --ipaselinuxusermaporder option. The list orders the SELinux users from the most to the least confined, for example:
[user1@server ~]$ ipa config-mod --ipaselinuxusermaporder="unconfined_u:s0-s0:c0.c1023$guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023"
The default SELinux user, used for unmapped entries, must be included in the user map list or the edit operation fails. Likewise, if the default is edited, it must be changed to a user in the SELinux map list or the map list must be updated first.

Example 32.2. Default SELinux User

IdM users are not required to have a specific SELinux user mapped to their account. However, the local system still checks the IdM entry for an SELinux user to use for the IdM user account.
To modify the default SELinux user, use the --ipaselinuxusermapdefault option. For example:
[user1@server ~]$ ipa config-mod --ipaselinuxusermapdefault="guest_u:s0"
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.