semanage-login
Configure SELinux user login mappings
TLDR
List all login mappings
Add a login mapping (map Linux user to SELinux user)
Delete a login mapping
Modify an existing login mapping
Add a login mapping with a specific MLS/MCS range
List only customized login mappings
SYNOPSIS
semanage login -a | --add -s SELINUX_USER LOGIN
semanage login -d | --delete LOGIN
semanage login -m | --modify -r REMAP_TO_SELINUX_USER LOGIN
semanage login -l | --list [LOGIN]
Common options: [-P | --permanent]
PARAMETERS
login
This subcommand of semanage is used to manage SELinux login mappings.
-a, --add
Adds a new mapping between a Linux login and an SELinux user.
-d, --delete
Deletes an existing mapping for a specified Linux login.
-m, --modify
Modifies an existing mapping for a specified Linux login, reassigning it to a different SELinux user.
-l, --list
Lists all configured login mappings or the mapping for a specific LOGIN.
-s SELINUX_USER, --seuser=SELINUX_USER
Specifies the SELinux user (e.g., user_u, staff_u) to map to when adding a new entry with -a.
-r REMAP_TO_SELINUX_USER, --remap-to-seuser=REMAP_TO_SELINUX_USER
Specifies the new SELinux user to remap to when modifying an entry with -m.
LOGIN
The Linux login name (e.g., john_doe) or special pattern (e.g., __default__) for which the mapping is managed.
-P, --permanent
Makes the changes persistent by writing them to the policy store. Without this, changes might be temporary or lost on reboot.
DESCRIPTION
The semanage-login command is a specialized component of the semanage utility used to manage the mapping between Linux user accounts and SELinux user identities. When a user logs into a Linux system, their Linux user ID is resolved and mapped to a specific SELinux user. This mapping is fundamental for determining the SELinux context under which the user's processes will run and, consequently, the resources they can access.
This command allows system administrators to add, delete, modify, or list these critical mappings. For instance, an administrator might map a regular Linux user to an SELinux user like user_u, while a privileged user might be mapped to staff_u or sysadm_u. These mappings are stored in the SELinux policy store and are crucial for enforcing the principle of least privilege in interactive user sessions. Changes made with semanage-login are applied to the active policy and can be made persistent across reboots.
CAVEATS
When managing login mappings, the special __default__ LOGIN entry is used for any Linux user that does not have an explicit mapping. It's crucial to correctly configure this default mapping.
Changes made with semanage-login typically require root privileges. These changes only affect future login sessions; active sessions are not immediately impacted. The SELinux users referenced in mappings must be defined using semanage-user before they can be assigned here.
THE __DEFAULT__ LOGIN
The __default__ login is a special entry that defines the SELinux user mapping for any Linux user account that does not have an explicit mapping defined. It's vital to ensure this default is set appropriately to avoid unexpected SELinux contexts for unmapped users. Typically, it maps to user_u.
INTERACTION WITH GETSEUSERBYNAME()
The system library function getseuserbyname() is used by login programs to determine the SELinux user ID for a given Linux user ID, based on the mappings configured by semanage-login. This function is how the SELinux policy effectively assigns a context to a new user session.
HISTORY
The semanage-login command is part of the policycoreutils package, which provides utilities for managing SELinux policy. It was developed as part of the broader effort to simplify SELinux administration, moving away from direct policy file manipulation to more user-friendly, high-level commands. Its usage evolved to provide a structured and robust way to manage user-to-SELinux mappings, a critical aspect of multi-user SELinux environments.
SEE ALSO
semanage(8), semanage-user(8), getseuserbyname(3), selinux(8), semodule(8)
