#2143 [RFE] SELinux user map test tool
Opened 12 years ago by rcritten. Modified 7 years ago

Ticket https://fedorahosted.org/freeipa/ticket/755 defines a method for mapping IPA users to SELinux contexts. A user may map to a different context on different machines, and via groups and hostgroups may have several possible selinux contexts on a given machine (one one is assigned, based on priority and specificity of the rules).

A test module is needed to be able to determine in advance what context would be given a user and host.


Moving to next month iteration.

I plan to make this similar to HBAC testing but each rule won't evaluate to a True/False, it will evaluate to a score. We take all the highest scores and from those rules pick the highest context.

The evaluation is host > hostgroup > hostcat = all, user > group < usercat = all.

I think I'll assign a number value to each matching option and sum them up so I can compare one rule to another.

I haven't considered how output will be handled yet. The HBAC test has optional details which shows how the rules evaluate. I can probably print the score and the context is for each rule and then a final value.

Was trying to compare my implementation to sssd and discovered the user mapping isn't working.

The /etc/selinux/targeted/logins directory wasn't created/owned by selinux-policy. I filed this against F-17: https://bugzilla.redhat.com/show_bug.cgi?id=824999

SSSD isn't creating the map file correctly, it is missing the service. Filed ticket https://fedorahosted.org/sssd/ticket/1360

Moving to next month iteration.

Have a working sssd build in sssd-1.8.93-0.20120618T1837Zgitbb79e75.fc17

It works only when a single map matches. Otherwise the formatting is still wrong, and in fact it writes out multiple contexts.

Putting into needs triage. It should belong to 3.3 Backlog.

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: Future Releases

7 years ago

Login to comment on this ticket.

Metadata