[Freeipa-users] selinuxusermap prioritization
Jakub Hrozek
jhrozek at redhat.com
Wed Mar 5 13:39:53 UTC 2014
On Wed, Mar 05, 2014 at 07:42:36AM -0500, Josh wrote:
> I'm trying to use selinuxusermap to configure the SELinux role that
> users are assigned when they logged in to systems. I have a
> question of what algorithm is used to determine which rule wins when
> multiple match.
>
> My current setup is:
>
> ipa selinuxusermap-add staff_u --selinuxuser=staff_u:s0-s0:c0.c1023
> ipa selinuxusermap-add resadm_u --selinuxuser=resadm_u:s0-s0:c0.c1023
> ipa selinuxusermap-add-host staff_u --hostgroups=targeted
> ipa selinuxusermap-add-host resadm_u --hostgroups=targeted
> ipa selinuxusermap-add-user staff_u --groups=wheel
> ipa selinuxusermap-add-user resadm_u --groups=somegroup
>
> ipa user-add jokajak --first=Joka --last=Jak --email=jokajak at gmail.com
> ipa group-add-member wheel --users=jokajak
> ipa group-add-member somegroup --users=jokajak
>
> My current scenario is:
>
> When I log in to a system I am assigned the resadm role but I would
> like to be assigned the staff_u role. I tried naming the
> selinuxusermap ZZ_resadm_u and 99_resadm_u but that had no effect.
>
> Any recommendations?
>
> Thanks,
> -josh
I think you need to modify the ordering (with ipa config-mod) so that
staff_u is higher priority than resadm.
See http://www.freeipa.org/page/SELinux_user_mapping#Evaluation
More information about the Freeipa-users
mailing list