Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 49. Defining SELinux user maps

Learn how SELinux user maps work in IdM, how to configure Security-Enhanced Linux (SELinux) user map order and defaults, and how to map Identity Management (IdM) users to SELinux users by using the Web UI or the IdM CLI.

49.1. SELinux contexts and Identity Management
Copy link

Learn how Security-Enhanced Linux (SELinux) contexts and policy stay on each host while Identity Management (IdM) maps domain users to SELinux user strings at login.

SELinux provides kernel-level mandatory access control (MAC) to govern how processes interact with system resources. Based on the expected behavior of processes and their security implications, administrators and policy writers define security contexts. These are labels assigned to every subject, such as processes, and object, such as files, sockets, and hardware on the system.

While the kernel only sees subjects (processes) and objects (files or sockets), the chain of security begins with the human identity. When a user logs in via IdM, their network account is mapped to a specific SELinux user. This mapping acts as a bridge: it ensures that every process started by that human inherits a specific security context.

Consequently, a human does not just have access to a file; instead, the human’s identity determines their SELinux label, and that label dictates exactly which resources their processes can access. By assigning different contexts to different groups of people, such as administrators, developers, or guests, organisations can ensure that even if a human’s session is compromised, the blast radius of a security breach is effectively minimized.

IdM does not create or modify SELinux contexts or policy on client systems. Instead, IdM uses strings that can match contexts already present on target hosts as the basis for mapping IdM users in the domain to SELinux users on a system.

If you create an SELinux user map in IdM, you do not modify the SELinux policy on your hosts:

  • IdM does not apply new security rules on your hosts. The SELinux policy stays local. The rules that define what staff_u can do compared to user_u are stored on the individual Linux host, not in the central IdM database.

  • The system maps the IdM user to an SELinux user string, such as staff_u. When the user logs in to a target host, the host evaluates this string against its local SELinux policy:

    • If the string matches a local SELinux user, the host applies the corresponding restrictions.
    • If the string does not match a local SELinux user, the host applies the default SELinux context.

Each SELinux user is associated with one or more SELinux roles. The role is assigned both a multilayer security (MLS) context and a multi-category security (MCS) context. The MLS and MCS contexts confine users so that they can access only certain processes, files, and operations on the system.

The following list maps SELinux users that are available on a system to their allowed roles: 

                Labelling  MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range        SELinux Roles

guest_u         user       s0         s0               guest_r
root            user       s0         s0-s0:c0.c1023   staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023   staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023   sysadm_r
system_u        user       s0         s0-s0:c0.c1023   system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023   system_r unconfined_r
user_u          user       s0         s0               user_r
xguest_u        user       s0         s0               xguest_r

SELinux user maps work with the System Security Services Daemon (SSSD) and the pam_selinux PAM module. When a remote user logs in to a machine, SSSD queries its IdM identity provider for user information, including any SELinux maps. The PAM module then assigns the appropriate SELinux user context. SSSD caching allows the mapping to work while offline.

Learn how mapping Identity Management (IdM) users to SELinux users centralizes SELinux context assignment and ties it to identity, host, and host-based access policy in the IdM domain.

SELinux users and policies operate at the system level, not the network level. SELinux users are configured independently on each system. While that is acceptable in many environments because SELinux defines common system users and SELinux-aware services define their own policies, it can be problematic when remote users and systems access local resources. Remote users and services might receive a default SELinux context that does not match their intended identity or role.

IdM solves this problem by integrating an identity domain with local SELinux services. IdM can map IdM users to configured SELinux users per host, per host group, or based on a host-based access control (HBAC) rule. Specifically, mapping SELinux and IdM users improves user administration as follows:

  • Remote users can receive appropriate SELinux user contexts based on their IdM group assignments. Administrators can apply the same policies consistently without creating local accounts or reconfiguring SELinux on each host.
  • The SELinux context associated with a user is centralized in IdM.
  • SELinux user context assignment can follow the same policy decisions you already manage in IdM, such as which users are allowed to access which hosts through HBAC rules.
  • Administrators can review and change SELinux user map configuration in one place, including which IdM users, groups, hosts, and host groups are assigned to each SELinux user map.

An SELinux user map links an IdM user to a specific SELinux user on a per-host basis. This allows administrators to assign different security contexts to the same person depending on which system they access.

49.3. SELinux user types in IdM
Copy link

Learn how Identity Management (IdM) maintains a central list of SELinux user strings with MLS and MCS ranges that you attach to maps and assign at login.

The core of an SELinux user map is the SELinux user. Each map is associated with an SELinux user. The SELinux users available for mapping are configured centrally in IdM. By default, these include:

  • unconfined_u (also used as a default for IdM users)
  • guest_u
  • xguest_u
  • user_u
  • staff_u

You can change this default list: any native SELinux user can be added or removed from the central IdM SELinux user list.

In the IdM server configuration, each SELinux user is configured with its user name and its MLS and MCS range, in the form SELinux_user:MLS[:MCS]. The IdM server uses this format when configuring maps.

49.4. HBAC rules and SELinux user maps in IdM
Copy link

HBAC rules integrate with SELinux user maps in Identity Management (IdM) so that the same user and host membership controls both access and SELinux context assignment.

You can associate SELinux mapping rules with HBAC rules to simplify administration and avoid duplicating membership in separate map and HBAC definitions. As long as the HBAC rule defines a user and a host, you can use it for an SELinux user map. Linking an SELinux user map to an HBAC rule ensures that the same user and host membership drives both access enforcement and SELinux context assignment.

If an HBAC rule is associated with an SELinux user map, you cannot delete the host-based access control rule until you remove it from the SELinux user map configuration.

Note

The IdM SELinux configuration is flexible. In addition to using HBAC rules, you can assign IdM users and hosts to an SELinux user map explicitly. You can also assign user groups or host groups to SELinux maps.

Learn about how to configure the SELinux user map order and the default SELinux user on the IdM server so that unmapped domain users still receive a valid context and so that the server ranks SELinux users from most confined to least confined.

Important

These settings do not replace individual user maps. They define the global list and fallback only.

The SELinux user map order is a list of SELinux users ranked from most confined to least confined. It is part of the IdM server configuration. An SELinux user map associates an SELinux user on a client with an Identity Management (IdM) user.

Each SELinux user entry uses this format: 

SELinux_user:MLS[:MCS]

Separate individual user entries with a dollar sign ($).

Because IdM user entries do not require an SELinux map, many entries might be unmapped. The IdM server configuration defines a default SELinux user—one of the users from the full SELinux map list—for unmapped IdM user entries so that those users still receive a valid SELinux context. The default SELinux user for unmapped IdM user entries is unconfined_u, which is consistent with the default SELinux user for system users on Red Hat Enterprise Linux.

Warning

Do not use unconfined_u as the default IdM SELinux user in production. Because unconfined_u is subject to only minimal SELinux restrictions, it effectively removes most of the protections SELinux provides. Set the default to a more confined user, such as guest_u, before deploying.

Use the Identity Management (IdM) Web UI to set the SELinux user map order, the default SELinux user for unmapped IdM entries, and which SELinux users are available for mapping on the IdM server. This controls how strictly unmapped users are confined and which strings maps may use.

Prerequisites

  • You are logged in to the IdM Web UI as an administrator.

Procedure

  1. Go to IPA Server Configuration.
  2. Scroll down to the SELINUX OPTIONS section.

  3. Edit the SELinux user configuration: SELinux user map order, Default SELinux user, or both, as needed.

    IdM server configuration page showing SELINUX OPTIONS with SELinux user map order and default SELinux user.
  4. Click Update at the top of the page to save your changes.

Use the Identity Management (IdM) CLI to set the SELinux user map order, the default SELinux user for unmapped IdM entries, and which SELinux users are available for mapping in IdM. This controls how strictly unmapped users are confined and which strings maps may use.

Prerequisites

  • You have administrative credentials to access the IdM CLI.

Procedure

  1. Optional: View the SELinux users configured on the IdM server and available for mapping: 

    [user1@server ~]$ ipa config-show

    Example output (excerpt): 

    ...
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023

    The list shows available SELinux users from the most confined to the least confined, separated by $.

  2. To change the list of SELinux users and their order, run ipa config-mod with the --ipaselinuxusermaporder option. List SELinux users from most confined to least confined, separated by $. The following example adds the sysadm_u user to the SELinux user map order: 

    [user1@server ~]$ ipa config-mod --ipaselinuxusermaporder="guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023"
    Note

    The default SELinux user used for unmapped entries must appear in the user map list or the modification fails. If you change the default, it must be a user that is already in the SELinux map list, or you must update the map list first.

  3. To change the default SELinux user for IdM users that do not have a specific map, run ipa config-mod with --ipaselinuxusermapdefault. 

    [user1@server ~]$ ipa config-mod --ipaselinuxusermapdefault="guest_u:s0"

Create or edit SELinux user maps in the Identity Management (IdM) Web UI to associate an SELinux user context on IdM clients with IdM users, groups, hosts, host groups, or with a single host-based access control (HBAC) rule.

49.8.1. Prerequisites
Copy link

  • You are logged in to the IdM Web UI as an administrator.

An SELinux user map associates an SELinux user string with IdM users and hosts, or with a host-based access control (HBAC) rule that already defines users and hosts. Use the IdM Web UI to review which maps exist in the domain and to open a map to inspect its settings.

Procedure

  1. In the IdM Web UI, go to Policy SELinux User Mappings.

    The page lists the SELinux user maps that are defined in the domain.

    SELinux User Mappings list.
  2. Optional: To inspect the configuration of a map, click its name in the list. The map details show the General, Users, and Hosts settings that apply to that map.

You can create a new SELinux user map by using the Add workflow in the IdM Web UI. Either assign a host-based access control (HBAC) rule to the map, or assign IdM users and hosts manually. You cannot combine both approaches on the same map.

Procedure

  1. In the IdM Web UI, go to Policy SELinux User Mappings.

  2. In the list of mappings, click Add to create a map.

    SELinux User Mappings list with Add highlighted.

  3. Enter the map name and the SELinux user. The SELinux user string must match the IdM server configuration exactly, in the form SELinux_user:MLS[:MCS].

    Add SELinux user mapping dialog.
  4. Click Add and Edit to add IdM user information.

  5. Use either an HBAC rule or assign users and hosts manually:

    • To use a host-based access control rule, choose the rule in the drop-down list in the General section. Using a host-based access control rule also applies that rule’s access controls for which hosts a remote user may use to reach a target machine.

      Note

      Only one host-based access control rule can be assigned. The host-based access control rule must include users and hosts, not only services.

      SELinux map General section with HBAC rule selection.

    • To assign users, user groups, hosts, or host groups directly to the SELinux map:

      1. In the Users and Hosts sections, click Add.

        Users and Hosts sections of an SELinux user map.

      2. In the left column, choose the users, hosts, or groups that you want to add, use the >> control to move them to the Prospective column, and click Add to add them to the map.

        Adding users to Prospective column for an SELinux map.
  6. Click Update at the top to save the SELinux user map.

If an SELinux user map exists, you can change its HBAC association, add or remove IdM users and hosts that are assigned to it, or delete the map from the IdM Web UI.

Procedure

  1. In the IdM Web UI, go to Policy SELinux User Mappings.
  2. Click the name of the map that you want to change.

  3. Select one of the following actions based on your needs:

    • In the General section, change the host-based access control (HBAC) rule in the drop-down list.

      Note

      If you assign a new HBAC rule to an existing map, the new HBAC association replaces the previous map configuration for that setting.

      SELinux map General section with HBAC rule selection.

    • To add IdM users, user groups, hosts, or host groups to the map:

      1. Go to the Users or Hosts section.

      2. Click Add.

        Users and Hosts sections of an SELinux user map.
      3. In the left column, choose the entries that you want to add and use the >> control to move them to the Prospective column.

      4. Click Add.

        Adding users to Prospective column for an SELinux map.

    • To remove an assigned user, user group, host, or host group:

      1. Select the entry in the Users or Hosts section.
      2. Use the control that removes the assignment (for example, Delete).
      3. Click Update at the top to save your changes.
    • To delete the SELinux user map entirely, use the Delete action for the map in the SELinux User Mappings list.

Create or edit SELinux user maps in the Identity Management (IdM) CLI to associate an SELinux user context on IdM clients with IdM users, groups, hosts, host groups, or with a single host-based access control (HBAC) rule.

49.9.1. Prerequisites
Copy link

  • You have administrative credentials to access the IdM CLI.

An SELinux user map associates an SELinux user string with IdM users and hosts, or with a host-based access control (HBAC) rule that already defines users and hosts. When you use the IdM CLI, you refer to those pieces with options such as --selinuxuser, --users, --groups, --hosts, --hostgroups, and --hbacrule. Use the following steps to list SELinux user maps in the domain and to show the details of one map.

Procedure

  • To list all SELinux user maps in the domain: 

    [user1@server ~]$ ipa selinuxusermap-find

  • To display a specific map, run ipa selinuxusermap-show and pass the map name. Replace selinux1 with the name of your map. 

    [user1@server ~]$ ipa selinuxusermap-show selinux1

You can create a new SELinux user map in two ways: run ipa selinuxusermap-add and then attach IdM users and hosts with ipa selinuxusermap-add-user and ipa selinuxusermap-add-host, or create the map in one step by referencing an host-based access control (HBAC) rule with --hbacrule. The --selinuxuser value must match the SELinux user string in the IdM server configuration, in the form SELinux_user:MLS[:MCS]. If you use explicit users and hosts, you must add both users or groups and hosts or host groups for the mapping to be valid. You can repeat CLI options or pass a comma-separated list in braces, for example --option={val1,val2,val3}.

Procedure

  • To create a new map and assign users and hosts with separate commands:

    1. Create the map record first. Replace <selinux1> with your map name: 

      [user1@server ~]$ ipa selinuxusermap-add --selinuxuser="xguest_u:s0" <selinux1>

    2. Add IdM users to the map. 

      [user1@server ~]$ ipa selinuxusermap-add-user --users=user1 --users=user2 --users=user3 selinux1

    3. Add client hosts to the map. 

      [user1@server ~]$ ipa selinuxusermap-add-host --hosts=server.example.com --hosts=test.example.com selinux1

  • Alternatively, to create a map that references an HBAC rule:

    The --hbacrule option names the HBAC rule to use. Using a rule applies that rule’s access controls for which hosts a remote user may use to access a target host, in addition to applying SELinux contexts after login. The rule must specify users and hosts so that the SELinux map can form the SELinux user, IdM user, and host relationship. Only one HBAC rule can be specified. 

    [user1@server ~]$ ipa selinuxusermap-add --hbacrule=webserver --selinuxuser="xguest_u:s0" selinux1

If an SELinux user map exists, you can add or remove IdM users and hosts that are assigned to it, change its HBAC association, or delete the map entirely.

Procedure

  • To add IdM users to an existing map: 

    [user1@server ~]$ ipa selinuxusermap-add-user --users=user1 selinux1
    Note

    If you run ipa selinuxusermap-mod with --hbacrule on an existing map, the new HBAC association replaces the previous map configuration for that setting.

  • To add client hosts to an existing map: 

    [user1@server ~]$ ipa selinuxusermap-add-host --hosts=server.example.com selinux1

  • To remove an IdM user from a map: 

    [user1@server ~]$ ipa selinuxusermap-remove-user --users=user2 selinux1

  • To remove a client host from a map: 

    [user1@server ~]$ ipa selinuxusermap-remove-host --hosts=server.example.com selinux1

  • To delete an SELinux user map entirely: 

    [user1@server ~]$ ipa selinuxusermap-del selinux1
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top