1semanage-user(8)                                              semanage-user(8)
2
3
4

NAME

6       semanage-user - SELinux Policy Management SELinux User mapping tool
7

SYNOPSIS

9       semanage  user [-h] [-n] [-N] [-S STORE] [ --add ( -L LEVEL -R ROLES -r
10       RANGE -s SEUSER selinux_name) | --delete selinux_name |  --deleteall  |
11       --extract  |  --list  [-C]  |  --modify ( -L LEVEL -R ROLES -r RANGE -s
12       SEUSER selinux_name ) ]
13
14

DESCRIPTION

16       semanage is used to configure certain elements of SELinux policy  with‐
17       out  requiring  modification  to  or recompilation from policy sources.
18       semanage user controls the mapping between  an  SELinux  User  and  the
19       roles and MLS/MCS levels.
20
21

OPTIONS

23       -h, --help
24              show this help message and exit
25
26       -n, --noheading
27              Do not print heading when listing the specified object type
28
29       -N, --noreload
30              Do not reload policy after commit
31
32       -S STORE, --store STORE
33              Select an alternate SELinux Policy Store to manage
34
35       -C, --locallist
36              List local customizations
37
38       -a, --add
39              Add a record of the specified object type
40
41       -d, --delete
42              Delete a record of the specified object type
43
44       -m, --modify
45              Modify a record of the specified object type
46
47       -l, --list
48              List records of the specified object type
49
50       -E, --extract
51              Extract customizable commands, for use within a transaction
52
53       -D, --deleteall
54              Remove all local customizations
55
56       -L LEVEL, --level LEVEL
57              Default  SELinux  Level  for  SELinux user, s0 Default. (MLS/MCS
58              Systems only)
59
60       -r RANGE, --range RANGE
61              MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range  for
62              SELinux login mapping defaults to the SELinux user record range.
63              SELinux Range for SELinux user defaults to s0.
64
65       -R [ROLES], --roles [ROLES]
66              SELinux Roles. You must enclose multiple  roles  within  quotes,
67              separate by spaces. Or specify -R multiple times.
68
69

EXAMPLE

71       List SELinux users
72       # semanage user -l
73       Modify groups for staff_u user
74       # semanage user -m -R "system_r unconfined_r staff_r" staff_u
75       Add level for TopSecret Users
76       # semanage user -a -R "staff_r" -rs0-TopSecret topsecret_u
77
78

NOTES

80       SELinux  users  defined  in  the  policy  cannot be removed or directly
81       altered. When the -m switch is used on such a user, semanage creates  a
82       local  SELinux  user  of  the  same  name, which overrides the original
83       SELinux user.
84
85       As long as a login entry exists that links  local  SELinux  user  to  a
86       Linux user, given local SELinux user cannot be removed (even if it rep‐
87       resents local modification of a SELinux user defined  in  policy).   In
88       case  you want to remove local modification of a SELinux user, you need
89       to remove any related login mapping first. Follow these steps:
90
91              1) Remove all login entries concerning the SELinux user.
92                 To list local customizations of login entries execute:
93                 # semanage login -l -C
94                 or for semanage command form:
95                 # semanage login --extract
96              2) Remove the SELinux user
97              3) Optionally reintroduce removed login entries
98
99

SEE ALSO

101       selinux (8), semanage (8) semanage-login (8)
102
103

AUTHOR

105       This man page was written by Daniel Walsh <dwalsh@redhat.com>
106
107
108
109                                   20130617                   semanage-user(8)
Impressum