2018-06-07 02:05:50 -05:00
|
|
|
Unit 9: SELinux User Maps
|
|
|
|
=========================
|
|
|
|
|
2018-06-07 02:51:36 -05:00
|
|
|
**Prerequisites**:
|
|
|
|
|
|
|
|
- `Unit 3: User management and Kerberos authentication <3-user-management.rst>`_
|
|
|
|
- `Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_
|
|
|
|
- `Unit 8: Sudo rule management <8-sudorule.rst>`_
|
|
|
|
|
2018-06-07 02:05:50 -05:00
|
|
|
SELinux is a *mandatory access controls* mechanism for Linux,
|
|
|
|
providing more powerful and flexible access control than traditional
|
|
|
|
Unix permissions. Users have an SELinux *context* consisting of a
|
|
|
|
*user*, *role* and *type*. The goal of this unit is to cause users
|
|
|
|
to be *confined* by an SELinux *role-based access control (RBAC)*
|
|
|
|
policy when the log into hosts that are members of the
|
|
|
|
``webservers`` Host Group.
|
|
|
|
|
|
|
|
..
|
|
|
|
- users can have different selinux policy on diff hosts
|
|
|
|
|
|
|
|
**Note:** SELinux contexts are applied during PAM-based login, so
|
|
|
|
when testing our changes in this unit ``su -l <user>`` will not
|
|
|
|
suffice: it is necessary to log in via SSH. You can do this from
|
|
|
|
any of the VMs (even ``client`` itself).
|
|
|
|
|
|
|
|
Log in as ``alice`` and run ``id -Z`` to see her current SELinux
|
|
|
|
context::
|
|
|
|
|
|
|
|
[alice@client]$ id -Z
|
|
|
|
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
|
|
|
|
|
|
|
|
``alice`` is currently *unconfined*. We want her to be confined to
|
|
|
|
the ``staff_u`` context when she logs in, to limit the impact of an
|
|
|
|
account compromise.
|
|
|
|
|
|
|
|
SELinux User Maps can refer to users and hosts directly, or they can
|
|
|
|
inherit the users and hosts of an existing HBAC rule. Because
|
|
|
|
access control is defined by HBAC, it is a good administration
|
|
|
|
practice to link SELinux User Maps to HBAC rules, so that when users
|
|
|
|
or hosts are added to the HBAC rule, the correct SELinux context
|
|
|
|
will automatically be used.
|
|
|
|
|
|
|
|
Recall that members of the ``sysadmin`` User Group already have
|
|
|
|
access to ``webservers`` via the ``sysadmin_webservers`` rule that
|
|
|
|
was created in `Unit 4: Host-based access control (HBAC)`_. Create
|
|
|
|
the SELinux User Map::
|
|
|
|
|
|
|
|
[client]$ ipa selinuxusermap-add sysadmin_staff_t \
|
|
|
|
--hbacrule sysadmin_webservers --selinuxuser staff_u:s0-s0:c0.c1023
|
|
|
|
-----------------------------------------
|
|
|
|
Added SELinux User Map "sysadmin_staff_t"
|
|
|
|
-----------------------------------------
|
|
|
|
Rule name: sysadmin_staff_t
|
|
|
|
SELinux User: staff_u:s0-s0:c0.c1023
|
|
|
|
HBAC Rule: sysadmin_webservers
|
|
|
|
Enabled: TRUE
|
|
|
|
|
|
|
|
|
|
|
|
Now login in as ``alice`` over SSH and observe that she is confined
|
|
|
|
by the ``staff_u`` policy::
|
|
|
|
|
|
|
|
[server]$ ssh alice@client.ipademo.local
|
|
|
|
alice@client.ipademo.local's password:
|
|
|
|
Last login: Fri Sep 2 05:47:03 2016
|
|
|
|
[alice@client]$ id -Z
|
|
|
|
staff_u:staff_r:staff_t:s0-s0:c0.c1023
|
|
|
|
|
|
|
|
|
|
|
|
**Note:** in production use you should ensure that only one HBAC
|
|
|
|
rule allows access for a given user/host/SELinux User Map
|
|
|
|
combination. Only one SELinux policy will be applied, and if
|
|
|
|
multiple policies match, the winning policy may be chosen
|
|
|
|
inconsistently.
|
|
|
|
|
|
|
|
|
|
|
|
Unconfined ``sudo``
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
``alice`` is now confined by the ``staff_u`` policy, but being a
|
|
|
|
``sysadmin`` she needs to be unconfined when running commands via
|
|
|
|
``sudo``. With the current configuration, commands run via ``sudo``
|
|
|
|
inherit a user's context, as the following commands demonstrate::
|
|
|
|
|
|
|
|
[alice@client]$ sudo -s
|
|
|
|
[sudo] password for alice:
|
|
|
|
sh-4.3# id -Z
|
|
|
|
staff_u:staff_r:staff_t:s0-s0:c0.c1023
|
|
|
|
sh-4.3# systemctl restart httpd
|
|
|
|
Failed to restart httpd.service: Access denied
|
|
|
|
See system logs and 'systemctl status httpd.service' for details.
|
|
|
|
sh-4.3#
|
|
|
|
|
|
|
|
Now let's make it so that ``alice`` can do her job. We need to
|
|
|
|
update the Sudo rule to change the SELinux context::
|
|
|
|
|
|
|
|
[alice@client]$ ipa sudorule-add-option sysadmin_sudo --sudooption type=unconfined_t
|
|
|
|
-------------------------------------------------------------
|
|
|
|
Added option "type=unconfined_t" to Sudo Rule "sysadmin_sudo"
|
|
|
|
-------------------------------------------------------------
|
|
|
|
Rule name: sysadmin_sudo
|
|
|
|
Enabled: TRUE
|
|
|
|
Host category: all
|
|
|
|
Command category: all
|
|
|
|
RunAs User category: all
|
|
|
|
RunAs Group category: all
|
|
|
|
Sudo Option: type=unconfined_t
|
|
|
|
[alice@client]$ ipa sudorule-add-option sysadmin_sudo --sudooption role=unconfined_r
|
|
|
|
-------------------------------------------------------------
|
|
|
|
Added option "role=unconfined_r" to Sudo Rule "sysadmin_sudo"
|
|
|
|
-------------------------------------------------------------
|
|
|
|
Rule name: sysadmin_sudo
|
|
|
|
Enabled: TRUE
|
|
|
|
Host category: all
|
|
|
|
Command category: all
|
|
|
|
RunAs User category: all
|
|
|
|
RunAs Group category: all
|
|
|
|
Sudo Option: type=unconfined_t, role=unconfined_r
|
|
|
|
|
|
|
|
Now when ``alice`` runs ``sudo`` it changes the SELinux context of
|
|
|
|
the program being run::
|
|
|
|
|
|
|
|
[alice@client]$ sudo -s
|
|
|
|
sh-4.3# id -Z
|
|
|
|
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
|
|
|
|
sh-4.3# systemctl restart httpd
|
|
|
|
sh-4.3#
|
2018-06-07 02:51:36 -05:00
|
|
|
|
|
|
|
|
|
|
|
This concludes the unit. You can now proceed to
|
|
|
|
`Unit 10: SSH user and host key management <10-ssh-key-management.rst>`_
|
|
|
|
or
|
2018-06-07 03:03:19 -05:00
|
|
|
`return to the curriculum overview <workshop.rst#curriculum-overview>`_
|
2018-06-07 02:51:36 -05:00
|
|
|
to see all the available topics.
|