Bug 766000

Summary: [RFE]Add support for central management of the SELinux user mappings
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.1CC: grajaiya, jgalipea, kchamart, ksiddiqu, prc
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.1-1.el6 Doc Type: Enhancement
Doc Text:
Cause: Enterprises could benefit from having a centralized store of SELinux mappings that would define which user gets which context after logging to a certain machine Consequence: Administrators were forced to distribute SELinux mappings via other means which was error prone Change: The SSSD is able to read mappings from an IPA server, process them according to a defined algorithm and select the appropriate SELinux context which is later consumed by pam_selinux. Result: The IPA server administrator is able to centrally define SELInux context mappings and the IPA clients would process the mappings when a user logs in using his IPA credentials.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:34:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 843814, 848751, 855889    
Bug Blocks: 736854    

Description Dmitri Pal 2011-12-09 20:28:52 UTC 
This is a tracking bug for this feature on the SSSD side.

https://fedorahosted.org/freeipa/wiki/SELinux-integration
http://www.freeipa.org/page/Integration_with_SELinux#pam_ipa_and_PAM_Responder
http://www.freeipa.org/page/Integration_with_SELinux#pam_selinux 
http://freeipa.org/page/SELinux_user_mapping (mostly server side design)

Upstream ticket: https://fedorahosted.org/sssd/ticket/794
Comment 1 RHEL Program Management 2012-07-10 07:07:11 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Program Management 2012-07-11 02:03:04 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 4 Kaleem 2012-11-29 08:26:41 UTC 
Verified.

SSSD and IPA-Server version:
============================
[root@rhel64master ~]# rpm -q sssd ipa-server
sssd-1.9.2-21.el6.x86_64
ipa-server-3.0.0-8.el6.x86_64
[root@rhel64master ~]#

Steps used to verify:
=====================
(1)Added a selinuxusermap rule for selinux user context "staff_u:s0-s0:c0.c1023" for "user1" on host "rhel64client1.testrelm.com".
[root@rhel64master ~]# ipa selinuxusermap-show selinuxusermaprule1 --all
  dn: ipaUniqueID=85bad5b8-39f5-11e2-9848-5254005d451f,cn=usermap,cn=selinux,dc=testrelm,dc=com
  Rule name: selinuxusermaprule1
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  Users: user1
  Hosts: rhel64client1.testrelm.com
  ipauniqueid: 85bad5b8-39f5-11e2-9848-5254005d451f
  objectclass: ipaassociation, ipaselinuxusermap
[root@rhel64master ~]# 

(2)selinux user context for "user1" on rhel64client1.testrelm.com(staff_u) and rhel64client2.testrelm.com(unconfined_u)
[root@rhel64master ~]# echo xxxxxxxxxx|kinit user1
Password for user1: 
[root@rhel64master ~]# ssh -l user1 rhel64client1.testrelm.com id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
[root@rhel64master ~]# ssh -l user1 rhel64client2.testrelm.com id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64master ~]# 

(3)Default selinux user context for user2 which is not added in selinuxusermap rule
[root@rhel64master ~]# echo xxxxxxxxx|kinit user2
Password for user1: 
[root@rhel64master ~]# ssh -l user2 rhel64client1.testrelm.com id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64master ~]# ssh -l user2 rhel64client2.testrelm.com id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64master ~]#
Comment 5 errata-xmlrpc 2013-02-21 09:34:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html