Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

24.2. Configuring SELinux User Map Order and Defaults

SELinux user maps, as the name implies, creates an association between an SELinux user and an IdM user. Before that association can be established, the IdM server has to be aware of the underlying SELinux users configuration on the systems it manages.
The available system SELinux user maps are part of the IdM server configuration. This is a list, in order from most to least confined, of the SELinux users. The SELinux user entry itself has this format:
The individual user entries are separated with a dollar sign ($).
Since there is no requirement on user entries to have an SELinux map, many entries may be unmapped. The IdM server configuration sets a default SELinux user (one of the users from the total SELinux map list) to use for unmapped IdM user entries. This way, even unmapped IdM users have a functional SELinux context.


This configuration defines the map order of available system SELinux users. This does not define any IdM user SELinux policies. The IdM user - SELinux user map must be defined and then users are added to the map, as in Section 24.3, “Mapping SELinux Users and IdM Users”.

24.2.1. In the Web UI

  1. In the top menu, click the IPA Server main tab and the Configuration subtab.
  2. Scroll to the bottom of the list of server configuration areas, to SELINUX OPTIONS.
  3. Set the SELinux user configuration.
    There are two areas that can be edited: the prioritized list of SELinux users and the default SELinux user to use for unmapped IdM users.
    The SELinux user map order gives the list of SELinux users, defined on the local Linux system , which are available for configuring mapping rules. This is a prioritized list, from most to least confined. Each SELinux user has the format SELinux_user:MLS.
    The Default SELinux user field sets the SELinux user to use for unmapped IdM users.
  4. Click the Update link at the top of the page to save the changes.

24.2.2. In the CLI

Before SELinux mapping rules can be created, there has to be a defined and universal list of SELinux users which are available to be mapped. This is set in the IdM server configuration:
[jsmith@server ~]$ ipa config-show
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 
Default SELinux user: unconfined_u:s0-s0:c0.c1023
The SELinux user settings can be edited using the config-mod command.

Example 24.1. List of SELinux Users

The complete list of SELinux users is passed in the --ipaselinuxusermaporder option. This list sets a priority order, from most to least confined users.
The SELinux user entry itself has this format:
The individual user entries are separated with a dollar sign ($).
For example:
[jsmith@server ~]$ ipa config-mod --ipaselinuxusermaporder="unconfined_u:s0-s0:c0.c1023$guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023"


The default SELinux user, used for unmapped entries, must be included in the user map list or the edit operation fails. Likewise, if the default is edited, it must be changed to a user in the SELinux map list or the map list must be updated first.

Example 24.2. Default SELinux User

IdM users are not required to have a specific SELinux user mapped to their account. However, the local system still checks the IdM entry for an SELinux user to use for the IdM user account. The default SELinux user sets the fallback user to use for unmapped IdM user entries; this is, by default, the default SELinux user for system users on Red Hat Enterprise Linux, unconfined_u.
This default user can be changed with the --ipaselinuxusermapdefault. For example:
[jsmith@server ~]$ ipa config-mod --ipaselinuxusermapdefault="guest_u:s0"