semanage-user(category14-security-amp-firewalls.html) - phpMan

semanage-user(8)                                              semanage-user(8)

NAME
       semanage-user - SELinux Policy Management SELinux User mapping tool
SYNOPSIS
       semanage  user [-h] [-n] [-N] [-S STORE] [ --add ( -L LEVEL -R ROLES -r
       RANGE -s SEUSER selinux_name) | --delete selinux_name |  --deleteall  |
       --extract  |  --list  [-C]  |  --modify ( -L LEVEL -R ROLES -r RANGE -s
       SEUSER selinux_name ) ]

DESCRIPTION
       semanage is used to configure certain elements of SELinux policy  with-
       out  requiring  modification  to  or recompilation from policy sources.
       semanage user controls the mapping between  an  SELinux  User  and  the
       roles and MLS/MCS levels.

OPTIONS
       -h, --help
              show this help message and exit
       -n, --noheading
              Do not print heading when listing the specified object type
       -N, --noreload
              Do not reload policy after commit
       -S STORE, --store STORE
              Select an alternate SELinux Policy Store to manage
       -C, --locallist
              List local customizations
       -a, --add
              Add a record of the specified object type
       -d, --delete
              Delete a record of the specified object type
       -m, --modify
              Modify a record of the specified object type
       -l, --list
              List records of the specified object type
       -E, --extract
              Extract customizable commands, for use within a transaction
       -D, --deleteall
              Remove all local customizations
       -L LEVEL, --level LEVEL
              Default  SELinux  Level  for  SELinux user, s0 Default. (MLS/MCS
              Systems only)
       -r RANGE, --range RANGE
              MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range  for
              SELinux login mapping defaults to the SELinux user record range.
              SELinux Range for SELinux user defaults to s0.
       -R [ROLES], --roles [ROLES]
              SELinux Roles. You must enclose multiple  roles  within  quotes,
              separate by spaces. Or specify -R multiple times.

EXAMPLE
       List SELinux users
       # semanage user -l
       Modify groups for staff_u user
       # semanage user -m -R "system_r unconfined_r staff_r" staff_u
       Add level for TopSecret Users
       # semanage user -a -R "staff_r" -rs0-TopSecret topsecret_u

NOTES
       SELinux  users  defined  in  the  policy  cannot be removed or directly
       altered. When the -m switch is used on such a user, semanage creates  a
       local  SELinux  user  of  the  same  name, which overrides the original
       SELinux user.
       As long as a login entry exists that links  local  SELinux  user  to  a
       Linux user, given local SELinux user cannot be removed (even if it rep-
       resents local modification of a SELinux user defined  in  policy).   In
       case  you want to remove local modification of a SELinux user, you need
       to remove any related login mapping first. Follow these steps:
              1) Remove all login entries concerning the SELinux user.
                 To list local customizations of login entries execute:
                 # semanage login -l -C
                 or for semanage command form:
                 # semanage login --extract
              2) Remove the SELinux user
              3) Optionally reintroduce removed login entries

SEE ALSO
       selinux (8), semanage (8) semanage-login (8)

AUTHOR
       This man page was written by Daniel Walsh <dwalsh AT redhat.com>

                                   20130617                   semanage-user(8)