semanage-login(8) — Linux manual page


semanage-login(8)                                      semanage-login(8)

NAME         top

       semanage-login - SELinux Policy Management linux user to SELinux
       User mapping tool

SYNOPSIS         top

       semanage login [-h] [-n] [-N] [-S STORE] [ --add -s SEUSER -r
       RANGE LOGIN | --delete LOGIN | --deleteall | --extract | --list
       [-C] | --modify -s SEUSER -r RANGE LOGIN ]

DESCRIPTION         top

       semanage is used to configure certain elements of SELinux policy
       without requiring modification to or recompilation from policy
       sources.  semanage login controls the mapping between a Linux
       User and the SELinux User. It can be used to turn on confined
       users. For example you could define that a particular user or
       group of users will login to a system as the user_u user. Prefix
       the group name with a '%' sign to indicate a group name.

OPTIONS         top

       -h, --help
              Show this help message and exit

       -n, --noheading
              Do not print heading when listing the specified object

       -N, --noreload
              Do not reload policy after commit

       -C, --locallist
              List local customizations

       -S STORE, --store STORE
              Select an alternate SELinux Policy Store to manage

       -a, --add
              Add a record of the specified object type

       -d, --delete
              Delete a record of the specified object type

       -m, --modify
              Modify a record of the specified object type

       -l, --list
              List records of the specified object type

       -E, --extract
              Extract customizable commands, for use within a

       -D, --deleteall
              Remove all local customizations

       -s SEUSER, --seuser SEUSER
              SELinux user name

       -r RANGE, --range RANGE
              MLS/MCS Security Range (MLS/MCS Systems only) SELinux
              Range for SELinux login mapping defaults to the SELinux
              user record range. SELinux Range for SELinux user defaults
              to s0.

EXAMPLE         top

       Set the default SELinux user on the system to guest_u
       # semanage login -m -s guest_u __default__
       Map user gijoe to SELinux user staff_u and assign MLS range SystemLow-Secret
       # semanage login -a -s staff_u -rSystemLow-Secret gijoe
       Map all users in the engineering group to SELinux user staff_u
       # semanage login -a -s staff_u %engineering

SEE ALSO         top

       selinux(8), semanage(8), semanage-user(8)

AUTHOR         top

       This man page was written by Daniel Walsh <>

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-
       space libraries and tools) project.  Information about the
       project can be found at 
       ⟨⟩.  If you have a
       bug report for this manual page, see
       This page was obtained from the project's upstream Git repository
       ⟨⟩ on 2023-12-22.  (At
       that time, the date of the most recent commit that was found in
       the repository was 2023-05-11.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

                                20130617               semanage-login(8)

Pages that refer to this page: semanage(8)semanage-user(8)