If a Linux user is mapped to the SELinux unconfined_u user (the default behavior), and you would like to change which SELinux user they are mapped to, use the semanage login command. The following example creates a new Linux user named newuser, then maps that Linux user to the SELinux user_u user:
As the Linux root user, run the /usr/sbin/useradd newuser command to create a new Linux user (newuser). Since this user uses the default mapping, it does not appear in the /usr/sbin/semanage login -l output:
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
To map the Linux newuser user to the SELinux user_u user, run the following command as the Linux root user:
/usr/sbin/semanage login -a -s user_u newuser
The -a option adds a new record, and the -s option specifies the SELinux user to map a Linux user to. The last argument, newuser, is the Linux user you want mapped to the specified SELinux user.
To view the mapping between the Linux newuser user and user_u, run the semanage login -l command as the Linux root user:
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
newuser user_u s0
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
As the Linux root user, run the passwd newuser command to assign a password to the Linux newuser user:
# passwd newuser
Changing password for user newuser.
New UNIX password: Enter a password
Retype new UNIX password: Enter the same password again
passwd: all authentication tokens updated successfully.
Log out of your current session, and log in as the Linux newuser user. Run the id -Z command to view the newuser's SELinux context:
[newuser@rlocalhost ~]$ id -Z
user_u:user_r:user_t:s0
Log out of the Linux newuser's session, and log back in with your account. If you do not want the Linux newuser user, run the userdel -r newuser command as the Linux root user to remove it, along with its home directory. Also, the mapping between the Linux newuser user and user_u is removed:
# /usr/sbin/userdel -r newuser
# /usr/sbin/semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023