On Wed, Mar 05, 2014 at 07:42:36AM -0500, Josh wrote: > I'm trying to use selinuxusermap to configure the SELinux role that > users are assigned when they logged in to systems. I have a > question of what algorithm is used to determine which rule wins when > multiple match. > > My current setup is: > > ipa selinuxusermap-add staff_u --selinuxuser=staff_u:s0-s0:c0.c1023 > ipa selinuxusermap-add resadm_u --selinuxuser=resadm_u:s0-s0:c0.c1023 > ipa selinuxusermap-add-host staff_u --hostgroups=targeted > ipa selinuxusermap-add-host resadm_u --hostgroups=targeted > ipa selinuxusermap-add-user staff_u --groups=wheel > ipa selinuxusermap-add-user resadm_u --groups=somegroup > > ipa user-add jokajak --first=Joka --last=Jak --email=joka...@gmail.com > ipa group-add-member wheel --users=jokajak > ipa group-add-member somegroup --users=jokajak > > My current scenario is: > > When I log in to a system I am assigned the resadm role but I would > like to be assigned the staff_u role. I tried naming the > selinuxusermap ZZ_resadm_u and 99_resadm_u but that had no effect. > > Any recommendations? > > Thanks, > -josh
I think you need to modify the ordering (with ipa config-mod) so that staff_u is higher priority than resadm. See http://www.freeipa.org/page/SELinux_user_mapping#Evaluation _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users