freeipa/9-selinux-user-map.rst

Unit 9: SELinux User Maps
=========================

SELinux is a *mandatory access controls* mechanism for Linux,
providing more powerful and flexible access control than traditional
Unix permissions.  Users have an SELinux *context* consisting of a
*user*, *role* and *type*.  The goal of this unit is to cause users
to be *confined* by an SELinux *role-based access control (RBAC)*
policy when the log into hosts that are members of the
``webservers`` Host Group.

..
  - users can have different selinux policy on diff hosts

**Note:** SELinux contexts are applied during PAM-based login, so
when testing our changes in this unit ``su -l <user>`` will not
suffice: it is necessary to log in via SSH.  You can do this from
any of the VMs (even ``client`` itself).

Log in as ``alice`` and run ``id -Z`` to see her current SELinux
context::

  [alice@client]$ id -Z
  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

``alice`` is currently *unconfined*.  We want her to be confined to
the ``staff_u`` context when she logs in, to limit the impact of an
account compromise.

SELinux User Maps can refer to users and hosts directly, or they can
inherit the users and hosts of an existing HBAC rule.  Because
access control is defined by HBAC, it is a good administration
practice to link SELinux User Maps to HBAC rules, so that when users
or hosts are added to the HBAC rule, the correct SELinux context
will automatically be used.

Recall that members of the ``sysadmin`` User Group already have
access to ``webservers`` via the ``sysadmin_webservers`` rule that
was created in `Unit 4: Host-based access control (HBAC)`_.  Create
the SELinux User Map::

  [client]$ ipa selinuxusermap-add sysadmin_staff_t \
      --hbacrule sysadmin_webservers --selinuxuser staff_u:s0-s0:c0.c1023
  -----------------------------------------
  Added SELinux User Map "sysadmin_staff_t"
  -----------------------------------------
    Rule name: sysadmin_staff_t
    SELinux User: staff_u:s0-s0:c0.c1023
    HBAC Rule: sysadmin_webservers
    Enabled: TRUE


Now login in as ``alice`` over SSH and observe that she is confined
by the ``staff_u`` policy::

  [server]$ ssh alice@client.ipademo.local
  alice@client.ipademo.local's password:
  Last login: Fri Sep  2 05:47:03 2016
  [alice@client]$ id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023


**Note:** in production use you should ensure that only one HBAC
rule allows access for a given user/host/SELinux User Map
combination.  Only one SELinux policy will be applied, and if
multiple policies match, the winning policy may be chosen
inconsistently.


Unconfined ``sudo``
-------------------

``alice`` is now confined by the ``staff_u`` policy, but being a
``sysadmin`` she needs to be unconfined when running commands via
``sudo``.  With the current configuration, commands run via ``sudo``
inherit a user's context, as the following commands demonstrate::

  [alice@client]$ sudo -s
  [sudo] password for alice:
  sh-4.3# id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023
  sh-4.3# systemctl restart httpd
  Failed to restart httpd.service: Access denied
  See system logs and 'systemctl status httpd.service' for details.
  sh-4.3#

Now let's make it so that ``alice`` can do her job.  We need to
update the Sudo rule to change the SELinux context::

  [alice@client]$ ipa sudorule-add-option sysadmin_sudo --sudooption type=unconfined_t
  -------------------------------------------------------------
  Added option "type=unconfined_t" to Sudo Rule "sysadmin_sudo"
  -------------------------------------------------------------
    Rule name: sysadmin_sudo
    Enabled: TRUE
    Host category: all
    Command category: all
    RunAs User category: all
    RunAs Group category: all
    Sudo Option: type=unconfined_t
  [alice@client]$ ipa sudorule-add-option sysadmin_sudo --sudooption role=unconfined_r
  -------------------------------------------------------------
  Added option "role=unconfined_r" to Sudo Rule "sysadmin_sudo"
  -------------------------------------------------------------
    Rule name: sysadmin_sudo
    Enabled: TRUE
    Host category: all
    Command category: all
    RunAs User category: all
    RunAs Group category: all
    Sudo Option: type=unconfined_t, role=unconfined_r

Now when ``alice`` runs ``sudo`` it changes the SELinux context of
the program being run::

  [alice@client]$ sudo -s
  sh-4.3# id -Z
  staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
  sh-4.3# systemctl restart httpd
  sh-4.3#
split workshop into separate files 2018-06-07 02:05:50 -05:00			`Unit 9: SELinux User Maps`
			`=========================`

			`SELinux is a mandatory access controls mechanism for Linux,`
			`providing more powerful and flexible access control than traditional`
			`Unix permissions. Users have an SELinux context consisting of a`
			`user, role and type. The goal of this unit is to cause users`
			`to be confined by an SELinux role-based access control (RBAC)`
			`policy when the log into hosts that are members of the`
			``webservers`` Host Group.

			`..`
			`- users can have different selinux policy on diff hosts`

			`Note: SELinux contexts are applied during PAM-based login, so`
			when testing our changes in this unit ``su -l <user>`` will not
			`suffice: it is necessary to log in via SSH. You can do this from`
			any of the VMs (even ``client`` itself).

			Log in as ``alice`` and run ``id -Z`` to see her current SELinux
			`context::`

			`[alice@client]$ id -Z`
			`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023`

			``alice`` is currently unconfined. We want her to be confined to
			the ``staff_u`` context when she logs in, to limit the impact of an
			`account compromise.`

			`SELinux User Maps can refer to users and hosts directly, or they can`
			`inherit the users and hosts of an existing HBAC rule. Because`
			`access control is defined by HBAC, it is a good administration`
			`practice to link SELinux User Maps to HBAC rules, so that when users`
			`or hosts are added to the HBAC rule, the correct SELinux context`
			`will automatically be used.`

			Recall that members of the ``sysadmin`` User Group already have
			access to ``webservers`` via the ``sysadmin_webservers`` rule that
			was created in `Unit 4: Host-based access control (HBAC)`_. Create
			`the SELinux User Map::`

			`[client]$ ipa selinuxusermap-add sysadmin_staff_t \`
			`--hbacrule sysadmin_webservers --selinuxuser staff_u:s0-s0:c0.c1023`
			`-----------------------------------------`
			`Added SELinux User Map "sysadmin_staff_t"`
			`-----------------------------------------`
			`Rule name: sysadmin_staff_t`
			`SELinux User: staff_u:s0-s0:c0.c1023`
			`HBAC Rule: sysadmin_webservers`
			`Enabled: TRUE`


			Now login in as ``alice`` over SSH and observe that she is confined
			by the ``staff_u`` policy::

			`[server]$ ssh alice@client.ipademo.local`
			`alice@client.ipademo.local's password:`
			`Last login: Fri Sep 2 05:47:03 2016`
			`[alice@client]$ id -Z`
			`staff_u:staff_r:staff_t:s0-s0:c0.c1023`


			`Note: in production use you should ensure that only one HBAC`
			`rule allows access for a given user/host/SELinux User Map`
			`combination. Only one SELinux policy will be applied, and if`
			`multiple policies match, the winning policy may be chosen`
			`inconsistently.`


			Unconfined ``sudo``
			`-------------------`

			``alice`` is now confined by the ``staff_u`` policy, but being a
			``sysadmin`` she needs to be unconfined when running commands via
			``sudo``. With the current configuration, commands run via ``sudo``
			`inherit a user's context, as the following commands demonstrate::`

			`[alice@client]$ sudo -s`
			`[sudo] password for alice:`
			`sh-4.3# id -Z`
			`staff_u:staff_r:staff_t:s0-s0:c0.c1023`
			`sh-4.3# systemctl restart httpd`
			`Failed to restart httpd.service: Access denied`
			`See system logs and 'systemctl status httpd.service' for details.`
			`sh-4.3#`

			Now let's make it so that ``alice`` can do her job. We need to
			`update the Sudo rule to change the SELinux context::`

			`[alice@client]$ ipa sudorule-add-option sysadmin_sudo --sudooption type=unconfined_t`
			`-------------------------------------------------------------`
			`Added option "type=unconfined_t" to Sudo Rule "sysadmin_sudo"`
			`-------------------------------------------------------------`
			`Rule name: sysadmin_sudo`
			`Enabled: TRUE`
			`Host category: all`
			`Command category: all`
			`RunAs User category: all`
			`RunAs Group category: all`
			`Sudo Option: type=unconfined_t`
			`[alice@client]$ ipa sudorule-add-option sysadmin_sudo --sudooption role=unconfined_r`
			`-------------------------------------------------------------`
			`Added option "role=unconfined_r" to Sudo Rule "sysadmin_sudo"`
			`-------------------------------------------------------------`
			`Rule name: sysadmin_sudo`
			`Enabled: TRUE`
			`Host category: all`
			`Command category: all`
			`RunAs User category: all`
			`RunAs Group category: all`
			`Sudo Option: type=unconfined_t, role=unconfined_r`

			Now when ``alice`` runs ``sudo`` it changes the SELinux context of
			`the program being run::`

			`[alice@client]$ sudo -s`
			`sh-4.3# id -Z`
			`staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023`
			`sh-4.3# systemctl restart httpd`
			`sh-4.3#`