6.3. Confining Existing Linux Users: semanage login
If a Linux user is mapped to the SELinux
unconfined_u
user (the default behavior), and you would like to change which SELinux user they are mapped to, use the semanage login
command. The following example creates a new Linux user named newuser
, then maps that Linux user to the SELinux user_u
user:
Procedure 6.2. Mapping Linux Users to the SELinux Users
- As root, create a new Linux user (
newuser
). Since this user uses the default mapping, it does not appear in thesemanage login -l
output:~]#
useradd newuser
~]#
semanage login -l
Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * - To map the Linux
newuser
user to the SELinuxuser_u
user, enter the following command as root:~]#
semanage login -a -s user_u newuser
The-a
option adds a new record, and the-s
option specifies the SELinux user to map a Linux user to. The last argument,newuser
, is the Linux user you want mapped to the specified SELinux user. - To view the mapping between the Linux
newuser
user anduser_u
, use thesemanage
utility again:~]#
semanage login -l
Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * newuser user_u s0 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * - As root, assign a password to the Linux
newuser
user:~]#
passwd newuser
Changing password for user newuser. New password: Enter a password Retype new password: Enter the same password again passwd: all authentication tokens updated successfully. - Log out of your current session, and log in as the Linux
newuser
user. Enter the following command to view thenewuser
's SELinux context:~]$
id -Z
user_u:user_r:user_t:s0 - Log out of the Linux
newuser
's session, and log back in with your account. If you do not want the Linuxnewuser
user, enter the following command as root to remove it, along with its home directory:~]#
userdel -r newuser
As root, remove the mapping between the Linuxnewuser
user anduser_u
:~]#
semanage login -d newuser
~]#
semanage login -l
Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *