RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 766000 - [RFE]Add support for central management of the SELinux user mappings
Summary: [RFE]Add support for central management of the SELinux user mappings
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On: 843814 848751 855889
Blocks: 736854
TreeView+ depends on / blocked
 
Reported: 2011-12-09 20:28 UTC by Dmitri Pal
Modified: 2020-05-02 16:18 UTC (History)
5 users (show)

Fixed In Version: sssd-1.9.1-1.el6
Doc Type: Enhancement
Doc Text:
Cause: Enterprises could benefit from having a centralized store of SELinux mappings that would define which user gets which context after logging to a certain machine Consequence: Administrators were forced to distribute SELinux mappings via other means which was error prone Change: The SSSD is able to read mappings from an IPA server, process them according to a defined algorithm and select the appropriate SELinux context which is later consumed by pam_selinux. Result: The IPA server administrator is able to centrally define SELInux context mappings and the IPA clients would process the mappings when a user logs in using his IPA credentials.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:34:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 1836 0 None closed Manage SELinux users centrally 2020-05-02 16:18:37 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Dmitri Pal 2011-12-09 20:28:52 UTC 
This is a tracking bug for this feature on the SSSD side.

https://fedorahosted.org/freeipa/wiki/SELinux-integration
http://www.freeipa.org/page/Integration_with_SELinux#pam_ipa_and_PAM_Responder
http://www.freeipa.org/page/Integration_with_SELinux#pam_selinux 
http://freeipa.org/page/SELinux_user_mapping (mostly server side design)

Upstream ticket: https://fedorahosted.org/sssd/ticket/794
Comment 1 RHEL Program Management 2012-07-10 07:07:11 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Program Management 2012-07-11 02:03:04 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 4 Kaleem 2012-11-29 08:26:41 UTC 
Verified.

SSSD and IPA-Server version:
============================
[root@rhel64master ~]# rpm -q sssd ipa-server
sssd-1.9.2-21.el6.x86_64
ipa-server-3.0.0-8.el6.x86_64
[root@rhel64master ~]#

Steps used to verify:
=====================
(1)Added a selinuxusermap rule for selinux user context "staff_u:s0-s0:c0.c1023" for "user1" on host "rhel64client1.testrelm.com".
[root@rhel64master ~]# ipa selinuxusermap-show selinuxusermaprule1 --all
  dn: ipaUniqueID=85bad5b8-39f5-11e2-9848-5254005d451f,cn=usermap,cn=selinux,dc=testrelm,dc=com
  Rule name: selinuxusermaprule1
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  Users: user1
  Hosts: rhel64client1.testrelm.com
  ipauniqueid: 85bad5b8-39f5-11e2-9848-5254005d451f
  objectclass: ipaassociation, ipaselinuxusermap
[root@rhel64master ~]# 

(2)selinux user context for "user1" on rhel64client1.testrelm.com(staff_u) and rhel64client2.testrelm.com(unconfined_u)
[root@rhel64master ~]# echo xxxxxxxxxx|kinit user1
Password for user1: 
[root@rhel64master ~]# ssh -l user1 rhel64client1.testrelm.com id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
[root@rhel64master ~]# ssh -l user1 rhel64client2.testrelm.com id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64master ~]# 

(3)Default selinux user context for user2 which is not added in selinuxusermap rule
[root@rhel64master ~]# echo xxxxxxxxx|kinit user2
Password for user1: 
[root@rhel64master ~]# ssh -l user2 rhel64client1.testrelm.com id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64master ~]# ssh -l user2 rhel64client2.testrelm.com id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64master ~]#
Comment 5 errata-xmlrpc 2013-02-21 09:34:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html
Note You need to log in before you can comment on or make changes to this bug.