This post will guide you through a simple setup to confine users defined in LDAP using Security-Enhanced Linux. SELinux on RHEL6/Debian Wheezy comes with confined user roles which allows quick and easy setup for restricting users who are given access to your machines.
# semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
Looking at these default roles, you can see that not a whole lot is restricted on a cleanly-installed machine. Unfortunately, this means that any users you add will be logging in with an unconfined_r role which essentially delegates access controls to systems other than SELinux.
Depending on the role that this machine will play in your organization, you probably want to set the default to something other than unconfined_u. The various default SELinux users can be found in /etc/selinux/targeted/contexts/users/
.
# ls -l /etc/selinux/targeted/contexts/users/ total 24 -rw-r--r--. 1 root root 253 Jun 18 09:01 guest_u -rw-r--r--. 1 root root 389 Jun 18 09:01 root -rw-r--r--. 1 root root 514 Jun 18 09:01 staff_u -rw-r--r--. 1 root root 578 Jun 18 09:01 unconfined_u -rw-r--r--. 1 root root 353 Jun 18 09:01 user_u -rw-r--r--. 1 root root 307 Jun 18 09:01 xguest_u
For our purposes, we’ll go ahead and set the __default__ selinux user to user_u. To do this, you simply run semanage login -m -s user_u -r s0 __default__
. You can see the change below.
# semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
Now, any user who does not have an explicit entry in the output above will be confined to user_u. Great! So, what about potential privileged users who may need sudo access? The user_u profile is inadequate for these types of users as it’s very restrictive. A more appropriate role would be something like staff_u. My user account only exists in LDAP.
# grep -c solj /etc/passwd 0 # getent passwd solj solj:*:1000:2000:Sol Jerome:/home/solj:/bin/bash
This is okay. The first thing to do is add a login mapping for the user.
semanage login -a -s staff_u solj
Now, logging in as that user should give you the proper security context.
$ id uid=1000(solj) gid=2000(sysadmin) groups=2000(sysadmin) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
Okay, now the last part is to give this person sudo access. My sudo configuration resides in LDAP. Therefore, I will need to add 2 new sudoOptions in order to allow my user to transition properly to sysadm_r:sysadm_t. The following is an example of the type of errors you will see if these options are not present.
$ sudo -i -bash: /root/.bash_profile: Permission denied -bash-4.1#
The correct sudoers entry should look like the following.
cn=solj,ou=sudoers,dc=example,dc=com cn: solj objectClass: sudoRole objectClass: top sudoHost: ALL sudoRunAs: ALL sudoUser: solj sudoCommand: ALL sudoOption: role=sysadm_r sudoOption: type=sysadm_t
And now when I run sudo, I am able to transition no problem.
$ sudo -i # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023