semanage-user

Manage SELinux user mappings

TLDR

List all SELinux users

$ sudo semanage user [[-l|--list]]

Add a new SELinux user

$ sudo semanage user [[-a|--add]] [[-R|--roles]] [role_name] [selinux_user]

Delete a SELinux user

$ sudo semanage user [[-d|--delete]] [selinux_user]

Modify an existing SELinux user's roles

$ sudo semanage user [[-m|--modify]] [[-R|--roles]] [role_name] [selinux_user]

Add a SELinux user with a specific default level

$ sudo semanage user [[-a|--add]] [[-R|--roles]] [role_name] [[-L|--level]] [s0] [selinux_user]

Add a SELinux user with a specific MLS/MCS range

$ sudo semanage user [[-a|--add]] [[-R|--roles]] [role_name] [[-r|--range]] [s0-s0:c0.c1023] [selinux_user]

List only customized SELinux users

$ sudo semanage user [[-l|--list]] [[-C|--locallist]]

SYNOPSIS

semanage user {-a|--add} {-R } {-r } {}
semanage user {-m|--modify} {-R } {-r } {}
semanage user {-d|--delete}
semanage user {-l|--list} {-n|--noheader}

-a, --add
    Adds a new SELinux user mapping to the policy. Requires specifying an SELinux user, roles, range, and optionally a Linux user mapping.

-d, --delete
    Deletes an existing SELinux user mapping from the policy. Requires specifying the SELinux user to be deleted.

-m, --modify
    Modifies an existing SELinux user mapping in the policy. Allows changing the roles, range, or Linux user mapping associated with an SELinux user.

-l, --list
    Lists all currently defined SELinux user mappings and their associated properties (roles, range, Linux user mappings).

-R , --roles=
    Specifies a comma-separated list of SELinux roles that the SELinux user can assume. For example, 'sysadm_r,staff_r'.

-r , --range=
    Sets the MLS/MCS security range for the SELinux user. For example, 's0' or 's0:c0.c1023'.

-n, --noheader
    Used with -l to suppress the header line when listing SELinux user mappings, useful for scripting.

    The identifier for the SELinux user. This is a label within the SELinux policy, not necessarily a Linux username (e.g., 'user_u', 'staff_u').

    The Linux user or group that maps to the specified SELinux user. Often '__default__' for the default mapping, or a specific Linux username (e.g., 'john').

DESCRIPTION

The semanage user command is a crucial part of the SELinux policy management toolkit, enabling administrators to define and manage the mappings between Linux users and SELinux users. These mappings are fundamental for controlling the security context under which a user operates on an SELinux-enabled system.

An SELinux user is a label within the SELinux policy that dictates what roles and security contexts a Linux user can potentially assume. By creating, modifying, or deleting these mappings, semanage user allows for granular control over user permissions beyond traditional DAC (Discretionary Access Control). It also assigns specific SELinux roles and Multi-Level Security (MLS) or Multi-Category Security (MCS) ranges to an SELinux user, further restricting or enhancing their access capabilities within the system's security policy. This command is distinct from semanage login, which handles the mapping of specific Linux logins to SELinux users.

CAVEATS

Using semanage user requires root privileges. Misconfiguring SELinux user mappings, roles, or ranges can lead to denial of service, unexpected access restrictions, or potential security vulnerabilities. It's crucial to understand SELinux concepts before making significant changes. Changes made with semanage user are persistent across reboots.

SELINUX USER VS. LINUX USER

It's important to distinguish between a Linux user and an SELinux user. A Linux user is a traditional system account (e.g., 'john', 'root'). An SELinux user (e.g., 'user_u', 'staff_u') is an identity within the SELinux policy that determines what roles, contexts, and ultimately what permissions a Linux user can potentially assume. A Linux user is mapped to an SELinux user, often via semanage login, and that SELinux user is defined and configured with semanage user.

THE 'DEFAULT' MAPPING

When adding or modifying an SELinux user mapping, the argument can be set to '__default__'. This special mapping indicates that any Linux user not explicitly mapped to an SELinux user via semanage login will automatically be associated with this SELinux user. It serves as a fallback or generic mapping for unconfigured Linux users.

ROLES AND MLS/MCS RANGES

The -R (roles) and -r (range) options are critical for defining the capabilities of an SELinux user. Roles (e.g., 'user_r', 'staff_r') define the set of capabilities or domains that the SELinux user can transition into. The MLS/MCS range (e.g., 's0', 's0:c0.c1023') provides Multi-Level Security or Multi-Category Security, which adds another layer of access control based on sensitivity and categories, further refining what resources the user can access.

HISTORY

The semanage utility, of which semanage user is a subcommand, was introduced as part of the SELinux userspace tools to simplify the administration of SELinux policies. Prior to tools like semanage, modifying SELinux policy required direct manipulation of policy files or more complex processes. semanage was developed to provide a higher-level, more user-friendly interface for common policy tasks, including managing user mappings, and has been a staple in SELinux-enabled distributions since the early 2000s.