Bug 766000 – [RFE]Add support for central management of the SELinux user mappings

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 766000 - [RFE]Add support for central management of the SELinux user mappings

Summary:	[RFE]Add support for central management of the SELinux user mappings

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	6.1
Hardware:	Unspecified Unspecified

Priority	high Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:

URL:
Whiteboard:
Keywords:	FutureFeature

Depends On:	843814 848751 855889
Blocks:	736854
	Show dependency tree / graph

Reported:	2011-12-09 15:28 EST by Dmitri Pal
Modified:	2013-02-21 04:34 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	sssd-1.9.1-1.el6
Doc Type:	Enhancement
Doc Text:	Cause: Enterprises could benefit from having a centralized store of SELinux mappings that would define which user gets which context after logging to a certain machine Consequence: Administrators were forced to distribute SELinux mappings via other means which was error prone Change: The SSSD is able to read mappings from an IPA server, process them according to a defined algorithm and select the appropriate SELinux context which is later consumed by pam_selinux. Result: The IPA server administrator is able to centrally define SELInux context mappings and the IPA clients would process the mappings when a user logs in using his IPA credentials.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 04:34:42 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0508	normal	SHIPPED_LIVE	Low: sssd security, bug fix and enhancement update	2013-02-20 16:30:10 EST

Groups: None (edit)

Description Dmitri Pal 2011-12-09 15:28:52 EST

This is a tracking bug for this feature on the SSSD side.

https://fedorahosted.org/freeipa/wiki/SELinux-integration
http://www.freeipa.org/page/Integration_with_SELinux#pam_ipa_and_PAM_Responder
http://www.freeipa.org/page/Integration_with_SELinux#pam_selinux 
http://freeipa.org/page/SELinux_user_mapping (mostly server side design)

Upstream ticket: https://fedorahosted.org/sssd/ticket/794

Comment 1 RHEL Product and Program Management 2012-07-10 03:07:11 EDT

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 2 RHEL Product and Program Management 2012-07-10 22:03:04 EDT

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 4 Kaleem 2012-11-29 03:26:41 EST

Verified.

SSSD and IPA-Server version:
============================
[root@rhel64master ~]# rpm -q sssd ipa-server
sssd-1.9.2-21.el6.x86_64
ipa-server-3.0.0-8.el6.x86_64
[root@rhel64master ~]#

Steps used to verify:
=====================
(1)Added a selinuxusermap rule for selinux user context "staff_u:s0-s0:c0.c1023" for "user1" on host "rhel64client1.testrelm.com".
[root@rhel64master ~]# ipa selinuxusermap-show selinuxusermaprule1 --all
  dn: ipaUniqueID=85bad5b8-39f5-11e2-9848-5254005d451f,cn=usermap,cn=selinux,dc=testrelm,dc=com
  Rule name: selinuxusermaprule1
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  Users: user1
  Hosts: rhel64client1.testrelm.com
  ipauniqueid: 85bad5b8-39f5-11e2-9848-5254005d451f
  objectclass: ipaassociation, ipaselinuxusermap
[root@rhel64master ~]# 

(2)selinux user context for "user1" on rhel64client1.testrelm.com(staff_u) and rhel64client2.testrelm.com(unconfined_u)
[root@rhel64master ~]# echo xxxxxxxxxx|kinit user1
Password for user1@TESTRELM.COM: 
[root@rhel64master ~]# ssh -l user1 rhel64client1.testrelm.com id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
[root@rhel64master ~]# ssh -l user1 rhel64client2.testrelm.com id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64master ~]# 

(3)Default selinux user context for user2 which is not added in selinuxusermap rule
[root@rhel64master ~]# echo xxxxxxxxx|kinit user2
Password for user1@TESTRELM.COM: 
[root@rhel64master ~]# ssh -l user2 rhel64client1.testrelm.com id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64master ~]# ssh -l user2 rhel64client2.testrelm.com id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64master ~]#

Comment 5 errata-xmlrpc 2013-02-21 04:34:42 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.