6.3. Confining Existing Linux Users: semanage login
If a Linux user is mapped to the SELinux
unconfined_u
user (the default behavior), and you would like to change which SELinux user they are mapped to, use the semanage login
command. The following example creates a new Linux user named newuser
, then maps that Linux user to the SELinux user_u
user:
- As the Linux root user, run the
useradd newuser
command to create a new Linux user (newuser
). Since this user uses the default mapping, it does not appear in thesemanage login -l
output:~]#
useradd newuser
~]#semanage login -l
Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 - To map the Linux
newuser
user to the SELinuxuser_u
user, run the following command as the Linux root user:~]#
semanage login -a -s user_u newuser
The-a
option adds a new record, and the-s
option specifies the SELinux user to map a Linux user to. The last argument,newuser
, is the Linux user you want mapped to the specified SELinux user. - To view the mapping between the Linux
newuser
user anduser_u
, run thesemanage login -l
command as the Linux root user:~]#
semanage login -l
Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 newuser user_u s0 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 - As the Linux root user, run the
passwd newuser
command to assign a password to the Linuxnewuser
user:~]#
passwd newuser
Changing password for user newuser. New password: Enter a password Retype new password: Enter the same password again passwd: all authentication tokens updated successfully. - Log out of your current session, and log in as the Linux
newuser
user. Run theid -Z
command to view thenewuser
's SELinux context:~]$
id -Z
user_u:user_r:user_t:s0 - Log out of the Linux
newuser
's session, and log back in with your account. If you do not want the Linuxnewuser
user, run theuserdel -r newuser
command as the Linux root user to remove it, along with its home directory. Run thesemanage login -d newuser
command to remove the mapping between the Linuxnewuser
user anduser_u
:~]#
userdel -r newuser
~]#semanage login -d newuser
~]#semanage login -l
Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023