Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

6.3. Confining Existing Linux Users: semanage login

If a Linux user is mapped to the SELinux unconfined_u user (the default behavior), and you would like to change which SELinux user they are mapped to, use the semanage login command. The following example creates a new Linux user named newuser, then maps that Linux user to the SELinux user_u user:

Procedure 6.2. Mapping Linux Users to the SELinux Users

  1. As root, create a new Linux user (newuser). Since this user uses the default mapping, it does not appear in the semanage login -l output:
    Copy to Clipboard Toggle word wrap 
    ~]# useradd newuser
     Copy to Clipboard Toggle word wrap 
    ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
  2. To map the Linux newuser user to the SELinux user_u user, enter the following command as root:
    Copy to Clipboard Toggle word wrap 
    ~]# semanage login -a -s user_u newuser
    The -a option adds a new record, and the -s option specifies the SELinux user to map a Linux user to. The last argument, newuser, is the Linux user you want mapped to the specified SELinux user.
  3. To view the mapping between the Linux newuser user and user_u, use the semanage utility again:
    Copy to Clipboard Toggle word wrap 
    ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
newuser              user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
  4. As root, assign a password to the Linux newuser user:
    Copy to Clipboard Toggle word wrap 
    ~]# passwd newuser
Changing password for user newuser.
New password: Enter a password
Retype new password: Enter the same password again
passwd: all authentication tokens updated successfully.
  5. Log out of your current session, and log in as the Linux newuser user. Enter the following command to view the newuser's SELinux context:
    Copy to Clipboard Toggle word wrap 
    ~]$ id -Z
user_u:user_r:user_t:s0
  6. Log out of the Linux newuser's session, and log back in with your account. If you do not want the Linux newuser user, enter the following command as root to remove it, along with its home directory:
    Copy to Clipboard Toggle word wrap 
    ~]# userdel -r newuser
    As root, remove the mapping between the Linux newuser user and user_u:
    Copy to Clipboard Toggle word wrap 
    ~]# semanage login -d newuser
     Copy to Clipboard Toggle word wrap 
    ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.