FreeIPA
Draft version. Content is hallucinated. Do not use!
security

SELinux User Mapping

Manage SELinux user context mapping for IPA users on client systems. SELinux user maps assign SELinux user contexts to IPA users and hosts, controlling the SELinux domain users run in. Features include user and host category specification, SELinux user assignment (guest_u, user_u, staff_u, etc.), priority ordering, enable/disable controls, and integration with SSSD for applying SELinux contexts during user login.

11 commands
security
selinux mapping security

Map IPA users to SELinux users by host.

Hosts, hostgroups, users and groups can be either defined within the rule or it may point to an existing HBAC rule. When using —hbacrule option to selinuxusermap-find an exact match is made on the HBAC rule name, so only one or zero entries will be returned.

EXAMPLES

Create a rule, “test1”, that sets all users to xguest_u:s0 on the host “server”:

ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1
ipa selinuxusermap-add-host --hosts=server.example.com test1

Create a rule, “test2”, that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts:

ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2

Display the properties of a rule:

ipa selinuxusermap-show test2

Create a rule for a specific user. This sets the SELinux context for

user john to unconfined_u:s0-s0:c0.c1023 on any machine:

ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined
ipa selinuxusermap-add-user --users=john john_unconfined

Disable a rule:

ipa selinuxusermap-disable test1

Enable a rule:

ipa selinuxusermap-enable test1

Find a rule referencing a specific HBAC rule:

ipa selinuxusermap-find --hbacrule=allow_some

Remove a rule:

ipa selinuxusermap-del john_unconfined

SEEALSO

The list controlling the order in which the SELinux user map is applied

and the default SELinux user are available in the config-show command.

Commands

Command Description

selinuxusermap-add Create a new SELinux User Map.

selinuxusermap-add-host Add target hosts and hostgroups to an SELinux User Map rule.

selinuxusermap-add-user Add users and groups to an SELinux User Map rule.

selinuxusermap-del Delete a SELinux User Map.

selinuxusermap-disable Disable an SELinux User Map rule.

selinuxusermap-enable Enable an SELinux User Map rule.

selinuxusermap-find Search for SELinux User Maps.

selinuxusermap-mod Modify a SELinux User Map.

selinuxusermap-remove-host Remove target hosts and hostgroups from an SELinux User Map rule.

selinuxusermap-remove-user Remove users and groups from an SELinux User Map rule.

selinuxusermap-show Display the properties of a SELinux User Map rule.

selinuxusermap-add

Usage: ipa [global-options] selinuxusermap-add NAME [options]

Create a new SELinux User Map.

Arguments

Argument Required Description

NAME yes Rule name

Options

Option Description

--selinuxuser SELINUXUSER SELinux User

--hbacrule HBACRULE HBAC Rule that defines the users, groups and hostgroups

--usercat USERCAT User category the rule applies to

--hostcat HOSTCAT Host category the rule applies to

--desc DESC Description

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

selinuxusermap-add-host

Usage: ipa [global-options] selinuxusermap-add-host NAME [options]

Add target hosts and hostgroups to an SELinux User Map rule.

Arguments

Argument Required Description

NAME yes Rule name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--hosts HOSTS hosts to add

--hostgroups HOSTGROUPS host groups to add

selinuxusermap-add-user

Usage: ipa [global-options] selinuxusermap-add-user NAME [options]

Add users and groups to an SELinux User Map rule.

Arguments

Argument Required Description

NAME yes Rule name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to add

--groups GROUPS groups to add

selinuxusermap-del

Usage: ipa [global-options] selinuxusermap-del NAME [options]

Delete a SELinux User Map.

Arguments

Argument Required Description

NAME yes Rule name

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

selinuxusermap-disable

Usage: ipa [global-options] selinuxusermap-disable NAME [options]

Disable an SELinux User Map rule.

Arguments

Argument Required Description

NAME yes Rule name

selinuxusermap-enable

Usage: ipa [global-options] selinuxusermap-enable NAME [options]

Enable an SELinux User Map rule.

Arguments

Argument Required Description

NAME yes Rule name

selinuxusermap-find

Usage: ipa [global-options] selinuxusermap-find [CRITERIA] [options]

Search for SELinux User Maps.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--name NAME Rule name

--selinuxuser SELINUXUSER SELinux User

--hbacrule HBACRULE HBAC Rule that defines the users, groups and hostgroups

--usercat USERCAT User category the rule applies to

--hostcat HOSTCAT Host category the rule applies to

--desc DESC Description

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--pkey-only Results should contain primary key attribute only (“name”)

selinuxusermap-mod

Usage: ipa [global-options] selinuxusermap-mod NAME [options]

Modify a SELinux User Map.

Arguments

Argument Required Description

NAME yes Rule name

Options

Option Description

--selinuxuser SELINUXUSER SELinux User

--hbacrule HBACRULE HBAC Rule that defines the users, groups and hostgroups

--usercat USERCAT User category the rule applies to

--hostcat HOSTCAT Host category the rule applies to

--desc DESC Description

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

selinuxusermap-remove-host

Usage: ipa [global-options] selinuxusermap-remove-host NAME [options]

Remove target hosts and hostgroups from an SELinux User Map rule.

Arguments

Argument Required Description

NAME yes Rule name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--hosts HOSTS hosts to remove

--hostgroups HOSTGROUPS host groups to remove

selinuxusermap-remove-user

Usage: ipa [global-options] selinuxusermap-remove-user NAME [options]

Remove users and groups from an SELinux User Map rule.

Arguments

Argument Required Description

NAME yes Rule name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to remove

--groups GROUPS groups to remove

selinuxusermap-show

Usage: ipa [global-options] selinuxusermap-show NAME [options]

Display the properties of a SELinux User Map rule.

Arguments

Argument Required Description

NAME yes Rule name

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

Related Topics

user host hbacrule