6.3. Confining Existing Linux Users: semanage login

If a Linux user is mapped to the SELinux unconfined_u user (the default behavior), and you would like to change which SELinux user they are mapped to, use the semanage login command. The following example creates a new Linux user named newuser, then maps that Linux user to the SELinux user_u user:

As the Linux root user, run the useradd newuser command to create a new Linux user (newuser). Since this user uses the default mapping, it does not appear in the semanage login -l output:

~]# useradd newuser
~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

To map the Linux newuser user to the SELinux user_u user, run the following command as the Linux root user:
```
~]# semanage login -a -s user_u newuser
```
The -a option adds a new record, and the -s option specifies the SELinux user to map a Linux user to. The last argument, newuser, is the Linux user you want mapped to the specified SELinux user.

To view the mapping between the Linux newuser user and user_u, run the semanage login -l command as the Linux root user:

~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
newuser                   user_u                    s0
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

As the Linux root user, run the passwd newuser command to assign a password to the Linux newuser user:

~]# passwd newuser
Changing password for user newuser.
New password: Enter a password
Retype new password: Enter the same password again 
passwd: all authentication tokens updated successfully.

Log out of your current session, and log in as the Linux newuser user. Run the id -Z command to view the newuser's SELinux context:
```
~]$ id -Z
user_u:user_r:user_t:s0
```

Log out of the Linux newuser's session, and log back in with your account. If you do not want the Linux newuser user, run the userdel -r newuser command as the Linux root user to remove it, along with its home directory. Run the semanage login -d newuser command to remove the mapping between the Linux newuser user and user_u:

~]# userdel -r newuser
~]# semanage login -d newuser
~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

6.3. Confining Existing Linux Users: semanage login

Where did the comment section go?