{"id":336,"date":"2012-09-05T18:03:49","date_gmt":"2012-09-05T23:03:49","guid":{"rendered":"https:\/\/www.soljerome.com\/blog\/?p=336"},"modified":"2012-09-08T14:00:56","modified_gmt":"2012-09-08T19:00:56","slug":"confining-ldap-users-using-selinux","status":"publish","type":"post","link":"https:\/\/www.soljerome.com\/blog\/2012\/09\/05\/confining-ldap-users-using-selinux\/","title":{"rendered":"Confining LDAP users using SELinux"},"content":{"rendered":"

This post will guide you through a simple setup to confine users defined in LDAP using Security-Enhanced Linux<\/a>. SELinux on RHEL6\/Debian Wheezy comes with confined user roles which allows quick and easy setup for restricting users who are given access to your machines.<\/p>\n

\r\n# semanage login -l\r\n\r\nLogin Name                SELinux User              MLS\/MCS Range            \r\n\r\n__default__               unconfined_u              s0-s0:c0.c1023           \r\nroot                      unconfined_u              s0-s0:c0.c1023           \r\nsystem_u                  system_u                  s0-s0:c0.c1023\r\n<\/pre>\n
Looking at these default roles, you can see that not a whole lot is restricted on a cleanly-installed machine. Unfortunately, this means that any users you add will be logging in with an unconfined_r<\/strong> role which essentially delegates access controls to systems other than SELinux.<\/p>\n
Depending on the role that this machine will play in your organization, you probably want to set the default to something other than unconfined_u. The various default SELinux users can be found in \/etc\/selinux\/targeted\/contexts\/users\/<\/code>.<\/p>\n
\r\n# ls -l \/etc\/selinux\/targeted\/contexts\/users\/\r\ntotal 24\r\n-rw-r--r--. 1 root root 253 Jun 18 09:01 guest_u\r\n-rw-r--r--. 1 root root 389 Jun 18 09:01 root\r\n-rw-r--r--. 1 root root 514 Jun 18 09:01 staff_u\r\n-rw-r--r--. 1 root root 578 Jun 18 09:01 unconfined_u\r\n-rw-r--r--. 1 root root 353 Jun 18 09:01 user_u\r\n-rw-r--r--. 1 root root 307 Jun 18 09:01 xguest_u\r\n<\/pre>\n
For our purposes, we’ll go ahead and set the __default__ selinux user to user_u. To do this, you simply run semanage login -m -s user_u -r s0 __default__<\/code>. You can see the change below.<\/p>\n
\r\n# semanage login -l\r\n\r\nLogin Name                SELinux User              MLS\/MCS Range            \r\n\r\n__default__               user_u                    s0                       \r\nroot                      unconfined_u              s0-s0:c0.c1023           \r\nsystem_u                  system_u                  s0-s0:c0.c1023\r\n<\/pre>\n
Now, any user who does not have an explicit entry in the output above will be confined to user_u. Great! So, what about potential privileged users who may need sudo access? The user_u profile is inadequate for these types of users as it’s very restrictive. A more appropriate role would be something like staff_u. My user account only exists in LDAP.<\/p>\n
\r\n# grep -c solj \/etc\/passwd\r\n0\r\n# getent passwd solj\r\nsolj:*:1000:2000:Sol Jerome:\/home\/solj:\/bin\/bash\r\n<\/pre>\n
This is okay. The first thing to do is add a login mapping for the user.<\/p>\n
\r\nsemanage login -a -s staff_u solj\r\n<\/pre>\n
Now, logging in as that user should give you the proper security context.<\/p>\n
\r\n$ id\r\nuid=1000(solj) gid=2000(sysadmin) groups=2000(sysadmin) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023\r\n<\/pre>\n
Okay, now the last part is to give this person sudo access. My sudo configuration resides in LDAP<\/a>. Therefore, I will need to add 2 new sudoOptions in order to allow my user to transition properly to sysadm_r:sysadm_t. The following is an example of the type of errors you will see if these options are not present.<\/p>\n
\r\n$ sudo -i\r\n-bash: \/root\/.bash_profile: Permission denied\r\n-bash-4.1#\r\n<\/pre>\n
The correct sudoers entry should look like the following.<\/p>\n
\r\ncn=solj,ou=sudoers,dc=example,dc=com\r\ncn: solj\r\nobjectClass: sudoRole\r\nobjectClass: top\r\nsudoHost: ALL\r\nsudoRunAs: ALL\r\nsudoUser: solj\r\nsudoCommand: ALL\r\nsudoOption: role=sysadm_r\r\nsudoOption: type=sysadm_t\r\n<\/pre>\n
And now when I run sudo, I am able to transition no problem.<\/p>\n
\r\n$ sudo -i\r\n# id\r\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
This post will guide you through a simple setup to confine users defined in LDAP using Security-Enhanced Linux. SELinux on RHEL6\/Debian Wheezy comes with confined user roles which allows quick and easy setup for restricting users who are given access to your machines. # semanage login -l Login Name SELinux User MLS\/MCS Range __default__ unconfined_u […]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[20,22],"tags":[],"_links":{"self":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/336"}],"collection":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/comments?post=336"}],"version-history":[{"count":6,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/336\/revisions"}],"predecessor-version":[{"id":342,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/336\/revisions\/342"}],"wp:attachment":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/media?parent=336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/categories?post=336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/tags?post=336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}