security

SELinux User Mapping

Manage SELinux user context mapping for IPA users on client systems. SELinux user maps assign SELinux user contexts to IPA users and hosts, controlling the SELinux domain users run in. Features include user and host category specification, SELinux user assignment (guest_u, user_u, staff_u, etc.), priority ordering, enable/disable controls, and integration with SSSD for applying SELinux contexts during user login.

11 commands
security

Map IPA users to SELinux users by host.

Hosts, hostgroups, users and groups can be either defined within the rule or it may point to an existing HBAC rule. When using —hbacrule option to selinuxusermap-find an exact match is made on the HBAC rule name, so only one or zero entries will be returned.

EXAMPLES

Create a rule, “test1”, that sets all users to xguest_u:s0 on the host “server”:

ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1
ipa selinuxusermap-add-host --hosts=server.example.com test1

Create a rule, “test2”, that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts:

ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2

Display the properties of a rule:

ipa selinuxusermap-show test2

Create a rule for a specific user. This sets the SELinux context for

user john to unconfined_u:s0-s0:c0.c1023 on any machine:

ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined
ipa selinuxusermap-add-user --users=john john_unconfined

Disable a rule:

ipa selinuxusermap-disable test1

Enable a rule:

ipa selinuxusermap-enable test1

Find a rule referencing a specific HBAC rule:

ipa selinuxusermap-find --hbacrule=allow_some

Remove a rule:

ipa selinuxusermap-del john_unconfined

SEEALSO

The list controlling the order in which the SELinux user map is applied

and the default SELinux user are available in the config-show command.

Use Cases

1. Restricting Contractors to Guest Context

Assign contractors to restrictive SELinux guest context to limit system access.

# Create contractor group if not exists
ipa group-add contractors --desc="External contractor accounts"
ipa group-add-member contractors --users=jdoe,asmith

# Create SELinux user map for contractors
ipa selinuxusermap-add contractor-restrict \
  --selinuxuser=guest_u:s0 \
  --hostcat=all \
  --desc="Contractors run as guest_u on all systems"

# Add contractors group to rule
ipa selinuxusermap-add-user contractor-restrict --groups=contractors

# Verify rule
ipa selinuxusermap-show contractor-restrict

# When contractor logs in, SSSD applies guest_u context
# guest_u is very restrictive: no network access, no X11, limited file access

2. Assigning Staff Context to System Administrators

Grant system administrators staff_u context for elevated but still controlled access.

# Create sysadmin SELinux mapping
ipa selinuxusermap-add sysadmin-staff \
  --selinuxuser=staff_u:s0-s0:c0.c1023 \
  --hostcat=all \
  --desc="System administrators run as staff_u"

# Add sysadmin group
ipa selinuxusermap-add-user sysadmin-staff --groups=sysadmins

# staff_u allows sudo to sysadm_t domain
# Provides separation between normal and administrative tasks

3. Using HBAC Rule Integration

Reuse existing HBAC rule logic for SELinux user mapping.

# Assume HBAC rule "webserver-access" already defines
# which users can access which web servers

# Create SELinux map referencing HBAC rule
ipa selinuxusermap-add webserver-context \
  --selinuxuser=user_u:s0 \
  --hbacrule=webserver-access \
  --desc="Web server admins get user_u context"

# Users, groups, hosts, and hostgroups automatically
# inherited from HBAC rule "webserver-access"

# Verify the association
ipa selinuxusermap-show webserver-context

4. Developer Workstation Unconfined Access

Grant developers unconfined SELinux context on development workstations.

# Create developer workstation hostgroup
ipa hostgroup-add dev-workstations \
  --desc="Developer desktop and laptop systems"
ipa hostgroup-add-member dev-workstations \
  --hosts=devbox01.example.com,devbox02.example.com

# Create SELinux map for developers on dev workstations
ipa selinuxusermap-add developer-unconfined \
  --selinuxuser=unconfined_u:s0-s0:c0.c1023 \
  --desc="Developers run unconfined on dev workstations"

# Add developer group and dev workstation hostgroup
ipa selinuxusermap-add-user developer-unconfined --groups=developers
ipa selinuxusermap-add-host developer-unconfined --hostgroups=dev-workstations

# On production servers, developers get more restrictive context
# via different rule with higher priority

5. Kiosk Mode with Xguest Context

Configure public kiosk systems with highly restrictive xguest_u SELinux context.

# Create hostgroup for kiosk systems
ipa hostgroup-add kiosks --desc="Public kiosk terminals"
ipa hostgroup-add-member kiosks --hosts=kiosk01.example.com,kiosk02.example.com

# Create kiosk user account
ipa user-add kiosk --first=Kiosk --last=User \
  --password  # Set simple password

# Create SELinux map for kiosk user
ipa selinuxusermap-add kiosk-xguest \
  --selinuxuser=xguest_u:s0 \
  --desc="Kiosk terminals run as xguest_u"

ipa selinuxusermap-add-user kiosk-xguest --users=kiosk
ipa selinuxusermap-add-host kiosk-xguest --hostgroups=kiosks

# xguest_u provides:
# - Firefox allowed but cannot save files
# - No network except HTTP/HTTPS
# - Cannot execute files from home directory
# - Minimal system access

6. Managing Rule Priority with Order

Control SELinux user map application order when multiple rules match.

# Check current order configuration
ipa config-show | grep "SELinux user map order"

# Default order processes rules from config-show output
# More specific rules should be processed before general ones

# Example: specific rule for DBAs on database servers
ipa selinuxusermap-add dba-dbservers \
  --selinuxuser=staff_u:s0-s0:c0.c1023 \
  --desc="DBAs on database servers get staff_u"
ipa selinuxusermap-add-user dba-dbservers --groups=dbas
ipa selinuxusermap-add-host dba-dbservers --hostgroups=database-servers

# General rule for all DBAs on other systems (lower priority)
ipa selinuxusermap-add dba-default \
  --selinuxuser=user_u:s0 \
  --hostcat=all \
  --desc="DBAs on non-database systems get user_u"
ipa selinuxusermap-add-user dba-default --groups=dbas

# First matching rule wins; ensure specific rules listed first in order
# Modify order with: ipa config-mod --selinuxusermaporder=...

7. Temporarily Disabling SELinux Mapping Rule

Disable rule for testing or troubleshooting without deleting configuration.

# Disable rule temporarily
ipa selinuxusermap-disable contractor-restrict

# Verify rule is disabled
ipa selinuxusermap-show contractor-restrict | grep Enabled
# Should show: Enabled: FALSE

# Users affected by this rule now fall through to next matching rule
# or default SELinux user from config-show

# After testing, re-enable
ipa selinuxusermap-enable contractor-restrict

# Verify re-enabled
ipa selinuxusermap-show contractor-restrict | grep Enabled
# Should show: Enabled: TRUE

8. Auditing Current SELinux User Mapping Configuration

Review all SELinux user maps for security audit or documentation.

# List all SELinux user maps
ipa selinuxusermap-find --sizelimit=0

# Generate detailed report for each rule
for rule in $(ipa selinuxusermap-find --pkey-only | grep "Rule name:" | awk '{print $3}'); do
  echo "==================================="
  echo "Rule: $rule"
  echo "==================================="
  ipa selinuxusermap-show "$rule"
  echo ""
done > selinux-maps-audit.txt

# Check default SELinux user for unmapped users
ipa config-show | grep -i selinux

cat selinux-maps-audit.txt

9. Setting User-Specific SELinux Context

Assign specific SELinux context to individual user across all or specific hosts.

# Security officer needs sysadm_u context everywhere
ipa selinuxusermap-add secoff-sysadm \
  --selinuxuser=sysadm_u:s0-s0:c0.c1023 \
  --hostcat=all \
  --desc="Security officer gets sysadm_u context"

ipa selinuxusermap-add-user secoff-sysadm --users=security-officer

# When security-officer logs in anywhere, gets sysadm_u
# This is most privileged SELinux user context

10. Testing SELinux User Map Application

Verify SELinux user mapping works correctly on client system.

# On IPA client, force SSSD cache refresh
sudo sss_cache -E

# Check what SELinux context user will get
sudo sss_cache -u testuser
id -Z testuser
# Should show: user_u:user_r:user_t:s0 (or configured context)

# Test actual login
ssh testuser@client.example.com
id -Z
# Should show configured SELinux context from mapping rule

# Check SSSD logs for SELinux mapping
sudo tail -f /var/log/sssd/sssd_example.com.log | grep -i selinux

# Verify which rule matched
ipa selinuxusermap-find --users=testuser
ipa selinuxusermap-find --groups=testuser-group

Security Considerations

1. Unconfined Context Assignment Risks

Assigning unconfined_u SELinux context removes mandatory access control protections.

  • unconfined_u bypasses SELinux policy enforcement, similar to SELinux permissive mode
  • Users with unconfined_u can access any file their DAC permissions allow
  • Compromise of unconfined_u user account provides attacker minimal SELinux restrictions
  • Limit unconfined_u to highly trusted users on development/test systems only
  • Production systems should use confined contexts (user_u, staff_u) wherever possible

2. Guest Context Escape Attempts

guest_u and xguest_u contexts are restrictive; users may attempt to bypass limitations.

  • Guest users cannot run programs from home directory; may try /tmp or /dev/shm
  • xguest_u blocks most network access but users may attempt port forwarding or tunneling
  • Monitor for guest user attempts to execute unauthorized programs
  • Review SELinux AVCs (Access Vector Cache) denials regularly: ausearch -m avc
  • Enable SELinux boolean restrictions to further harden guest contexts

3. Rule Priority Confusion

When multiple SELinux user maps match a user, only first matching rule applies.

  • Rule order configured in ipa config-show output determines precedence
  • Unintended rule order may grant excessive or insufficient privileges
  • Specific rules (particular users/hosts) should be ordered before general rules (categories)
  • Test rule changes with non-privileged test account before production deployment
  • Document rule priority design in security architecture documentation

4. HBAC Rule Coupling Complexity

Using --hbacrule option couples SELinux mapping to HBAC rule lifecycle.

  • Changes to HBAC rule membership automatically change SELinux map scope
  • Deleting HBAC rule may break SELinux map (verify behavior)
  • Difficult to audit which users get which SELinux context without evaluating HBAC rules
  • Prefer explicit user/group/host specification for SELinux maps unless HBAC coupling intentional
  • Document HBAC rule dependencies in SELinux map descriptions

5. Default SELinux User Fallback

Users not matching any SELinux user map receive default context from IPA configuration.

  • Default SELinux user configured in ipa config-show (typically unconfined_u or user_u)
  • Overly permissive default grants excessive privileges to unmatched users
  • Set default to most restrictive context appropriate for environment (user_u or guest_u)
  • Explicitly map all user populations; don’t rely on default for important users
  • Monitor unmapped users: compare user list to SELinux map coverage

6. SELinux Context Privilege Escalation

staff_u and sysadm_u contexts allow privilege escalation through sudo.

  • staff_u can sudo to sysadm_t domain, gaining root-equivalent SELinux privileges
  • sysadm_u has broad SELinux privileges; compromise is severe
  • Even with SELinux, sudo configuration still critical for authorization
  • Assign staff_u/sysadm_u only to users who need sudo access
  • Combine SELinux user maps with restrictive sudo rules for defense in depth

7. Client-Side SELinux Enforcement Dependency

SELinux user mapping relies on client systems having SELinux enabled and enforcing.

  • Clients with SELinux disabled or permissive ignore SELinux user maps entirely
  • Users can boot single-user mode or live media to bypass SELinux enforcement
  • SELinux provides defense-in-depth, not perimeter security
  • Deploy configuration management to enforce SELinux enabled on all clients
  • Physical security critical for workstations; SELinux cannot prevent physical access attacks

8. Category All Overuse

Using --usercat=all or --hostcat=all creates overly broad rules.

  • Broad categories make rules harder to reason about and audit
  • New users or hosts automatically included in broad category rules
  • Changes to user population affect SELinux context assignment unexpectedly
  • Prefer explicit user groups and host groups for precise control
  • Use categories only for truly universal policies (e.g., “all users on kiosks get xguest_u”)

9. MLS/MCS Range Misconfigurations

Multi-Level Security (MLS) and Multi-Category Security (MCS) ranges require careful configuration.

  • Incorrect MCS ranges can prevent users from accessing their own files
  • s0-s0:c0.c1023 is typical range for full MCS access
  • Single-level labels (e.g., user_u:s0) restrict access to files labeled s0 only
  • MLS/MCS label mismatches cause “Permission denied” even with correct DAC permissions
  • Test MCS configurations in non-production environment before deployment

10. Disabled Rule Management

Disabled SELinux user maps remain in configuration but don’t apply; can cause confusion.

  • Administrators may forget disabled rules exist and create duplicate rules
  • Re-enabling old disabled rule may have unintended effects if environment changed
  • Disabled rules should be documented with reason and date in description field
  • Periodically review disabled rules; delete if no longer needed
  • Consider deleting instead of disabling unless rule re-enablement anticipated soon

11. SELinux User Map Bypass via Local Override

Local /etc/selinux/targeted/seusers file can override IPA SELinux user maps.

  • SSSD respects local seusers entries over IPA-provided mappings
  • Attacker with root on client can modify local seusers to change own context
  • Configuration management should enforce no local seusers modifications
  • Monitor /etc/selinux/targeted/seusers for unauthorized changes
  • Root compromise on client always grants full control regardless of SELinux maps

12. Audit and Logging Limitations

SELinux user map application not explicitly logged in IPA audit trail.

  • IPA logs map creation/modification/deletion but not per-login application
  • SSSD logs on client show which mapping applied but logs may not be centralized
  • Difficult to audit “who had what SELinux context where and when” historically
  • Centralize SSSD logs from all clients to SIEM for security analysis
  • Correlate SSSD SELinux mapping logs with authentication logs for complete picture

Troubleshooting

1. SELinux Context Not Applied on Client

Symptom: User logs in but receives default SELinux context instead of mapped context from IPA rule.

Diagnosis:

# On IPA server, verify rule exists and is enabled
ipa selinuxusermap-find --users=testuser
ipa selinuxusermap-show rule-name

# On client, check SSSD configuration
sudo cat /etc/sssd/sssd.conf | grep selinux
# Should have: selinux_provider = ipa

# Check if SSSD retrieving SELinux maps
sudo sss_cache -E
sudo systemctl restart sssd
id -Z testuser

Resolution:

  • Ensure selinux_provider = ipa set in /etc/sssd/sssd.conf on client
  • Verify rule is enabled: ipa selinuxusermap-show rule-name | grep Enabled
  • Check user/host membership in rule matches
  • Force SSSD cache refresh: sudo sss_cache -E
  • Review SSSD logs: sudo tail -f /var/log/sssd/sssd_example.com.log

2. Multiple Rules Match - Wrong One Applied

Symptom: User has SELinux context from unexpected rule; multiple rules match user/host.

Diagnosis:

# Find all rules matching user
ipa selinuxusermap-find --users=testuser
ipa selinuxusermap-find --groups=testuser-group

# Check rule order configuration
ipa config-show | grep "SELinux user map order"

# First matching rule in order wins

Resolution:

  • Review rule order from ipa config-show output
  • First matching rule in order is applied; subsequent matches ignored
  • Reorder rules with ipa config-mod --selinuxusermaporder=rule1,rule2,rule3
  • More specific rules should come before general rules
  • Add --desc to rules explaining priority rationale

3. Permission Denied Despite Correct DAC Permissions

Symptom: User cannot access files they own; SELinux denials in audit log.

Diagnosis:

# Check SELinux context of user
id -Z

# Check SELinux context of file
ls -Z /path/to/file

# Search for SELinux denials
sudo ausearch -m avc -ts recent

# Check if SELinux enforcing
getenforce

Resolution:

  • Verify user’s SELinux context matches required context for file access
  • MLS/MCS level mismatch common cause: user at s0 cannot access s0:c0.c1023 files
  • Check if SELinux boolean needs enabling: getsebool -a | grep user
  • May need to relabel files: restorecon -Rv /path/to/directory
  • Review SELinux user map; ensure correct context assigned

4. SELinux User Map Not Appearing in Find Results

Symptom: Created SELinux user map but cannot find it with selinuxusermap-find.

Diagnosis:

# Try showing by exact name
ipa selinuxusermap-show exact-rule-name

# List all rules without filter
ipa selinuxusermap-find --sizelimit=0

# Check if replication delayed
ipa-replica-manage list

Resolution:

  • Verify rule name spelling; rule names case-sensitive
  • Check replication status if multi-master deployment
  • Rule may have been created on different server and not yet replicated
  • Wait 30 seconds and retry; replication typically fast
  • Use --all flag to see all attributes: ipa selinuxusermap-show rule-name --all

5. Cannot Add User to SELinux User Map

Symptom: selinuxusermap-add-user fails with “user not found” error.

Diagnosis:

# Verify user exists
ipa user-show username

# Verify group exists if adding group
ipa group-show groupname

# Check for typos in username/groupname
ipa user-find username
ipa group-find groupname

Resolution:

  • User or group must exist in IPA before adding to SELinux user map
  • Create user/group first: ipa user-add or ipa group-add
  • Use exact username/groupname as shown in ipa user-find / ipa group-find
  • Cannot add external users directly; add external users to group, then add group to map

6. Cannot Use Both Category and Explicit Members

Symptom: Error when trying to add specific users after setting --usercat=all.

Diagnosis:

# Check current rule configuration
ipa selinuxusermap-show rule-name

# Category "all" is mutually exclusive with explicit members

Resolution:

  • Cannot mix --usercat=all with specific --users or --groups
  • Cannot mix --hostcat=all with specific --hosts or --hostgroups
  • Choose either category “all” or explicit member list, not both
  • Remove category: ipa selinuxusermap-mod rule-name --usercat=
  • Then add explicit members: ipa selinuxusermap-add-user rule-name --users=user1

7. HBAC Rule Changes Not Reflected in SELinux Map

Symptom: Modified HBAC rule but SELinux map still uses old membership.

Diagnosis:

# Show SELinux map with HBAC rule association
ipa selinuxusermap-show selinux-rule-name

# Show associated HBAC rule
ipa hbacrule-show hbac-rule-name

# On client, check SSSD cache age
sudo sss_cache -E

Resolution:

  • SSSD caches SELinux map data; refresh cache: sudo sss_cache -E
  • Restart SSSD if cache refresh insufficient: sudo systemctl restart sssd
  • HBAC rule changes immediately affect SELinux map on server side
  • Client-side caching delays propagation; cache refresh forces update
  • Default cache timeout varies; check sssd.conf entry_cache_timeout

8. Guest User Can Execute Programs from Home

Symptom: User assigned guest_u context but can still execute binaries from home directory.

Diagnosis:

# Verify user's actual SELinux context
id -Z

# Check SELinux booleans for guest users
getsebool -a | grep guest

# Try executing program from home
~/test.sh  # Should be denied if guest_u working correctly

Resolution:

  • Verify user actually has guest_u context; check id -Z
  • SELinux boolean may allow guest execution: check guest_exec_content
  • Disable: sudo setsebool -P guest_exec_content off
  • Check if SELinux enforcing: getenforce (should be “Enforcing”)
  • Review file context: files in home may be mislabeled

9. Unconfined User Still Getting SELinux Denials

Symptom: User assigned unconfined_u but still receives permission denied from SELinux.

Diagnosis:

# Verify user's context
id -Z
# Should show: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

# Check recent denials
sudo ausearch -m avc -ts recent | grep unconfined

# Verify SELinux mode
getenforce

Resolution:

  • Even unconfined_u has some restrictions (e.g., cannot modify SELinux policy)
  • Verify user’s domain is unconfined_t; some policies use different domains
  • Check MCS label: unconfined_u:s0 is more restricted than unconfined_u:s0-s0:c0.c1023
  • True unconfined access requires both correct user (unconfined_u) and range (s0-s0:c0.c1023)
  • Review specific denial in audit log; may indicate legitimate SELinux enforcement

10. SELinux Map Order Configuration Not Persisting

Symptom: Modified SELinux user map order with config-mod but order resets after replication.

Diagnosis:

# Check current order
ipa config-show | grep "SELinux user map order"

# Modify order
ipa config-mod --selinuxusermaporder=rule1,rule2,rule3

# Verify immediately
ipa config-show | grep "SELinux user map order"

# Check on other replica
ssh ipa02.example.com
ipa config-show | grep "SELinux user map order"

Resolution:

  • Config changes replicate normally; wait for replication if multi-master
  • Order is comma-separated list of rule names; verify exact spelling
  • Check replication status: ipa-replica-manage list
  • Order includes only enabled rules; disabled rules ignored in ordering
  • All rule names in order must exist or config-mod fails

11. Cannot Delete SELinux User Map - In Use

Symptom: selinuxusermap-del fails indicating rule is in use.

Diagnosis:

# Show rule details
ipa selinuxusermap-show rule-name --all

# Check if rule has members
ipa selinuxusermap-show rule-name

# Check if referenced by other configuration
ipa config-show | grep rule-name

Resolution:

  • First remove all users and hosts from rule
  • Then disable rule: ipa selinuxusermap-disable rule-name
  • Remove from order if present: ipa config-mod --selinuxusermaporder=...
  • Then delete: ipa selinuxusermap-del rule-name
  • If still failing, use --continue flag to force deletion

12. SELinux Context Prevents SSH Login

Symptom: User cannot SSH to system; connection rejected or immediately disconnected.

Diagnosis:

# Check SSH daemon SELinux context requirements
sudo ausearch -m avc -ts recent | grep sshd

# Check user's assigned SELinux context
id -Z username

# Review SSH logs
sudo tail -f /var/log/secure

Resolution:

  • Some SELinux users (guest_u, xguest_u) may be restricted from SSH depending on policy
  • Check SELinux boolean: getsebool -a | grep ssh
  • May need: sudo setsebool -P ssh_sysadm_login on for sysadm_u SSH access
  • Verify sshd_t domain allows user’s SELinux user type
  • Consider less restrictive context if SSH required (user_u instead of guest_u)

13. Description Field Truncated or Not Displaying

Symptom: SELinux user map description not showing completely.

Diagnosis:

# Show with --all flag
ipa selinuxusermap-show rule-name --all

# Check description length
ipa selinuxusermap-show rule-name | grep Description

Resolution:

  • Default output may truncate long descriptions; use --all flag for complete output
  • Description field has length limit (typically 1024 chars)
  • Very long descriptions may need to be in external documentation
  • Update description: ipa selinuxusermap-mod rule-name --desc="New description"

14. SELinux User Map Works on Some Clients But Not Others

Symptom: Same user gets correct SELinux context on some clients but not others.

Diagnosis:

# On working client
cat /etc/sssd/sssd.conf | grep selinux
id -Z username

# On broken client
cat /etc/sssd/sssd.conf | grep selinux
id -Z username

# Check SSSD version
sssd --version

Resolution:

  • Verify /etc/sssd/sssd.conf has selinux_provider = ipa on broken client
  • Check SSSD version consistency; old SSSD may not support SELinux mapping
  • Minimum SSSD version for IPA SELinux mapping: 1.9.0+
  • Restart SSSD on broken client: sudo systemctl restart sssd
  • Review client SELinux policy version; may need updates

15. Testing Rule Before Production Deployment

Symptom: Want to test SELinux user map without affecting production users.

Diagnosis:

# Create test user
ipa user-add testselinux --first=Test --last=SELinux

# Create test rule
ipa selinuxusermap-add test-rule \
  --selinuxuser=staff_u:s0-s0:c0.c1023 \
  --hostcat=all

# Add only test user
ipa selinuxusermap-add-user test-rule --users=testselinux

Resolution:

  • Create rule targeting test user or test hostgroup only
  • Test on non-production client system first
  • SSH as test user and verify context: ssh testuser@testclient.example.com id -Z
  • Check application behavior with assigned context
  • After successful testing, modify rule to add production users/groups
  • Keep test rule disabled when not actively testing: ipa selinuxusermap-disable test-rule

Commands

selinuxusermap-add

Usage: ipa [global-options] selinuxusermap-add NAME [options]

Create a new SELinux User Map.

Arguments

ArgumentRequiredDescription
NAMEyesRule name

Options

OptionDescription
--selinuxuser SELINUXUSERSELinux User
--hbacrule HBACRULEHBAC Rule that defines the users, groups and hostgroups
--usercat USERCATUser category the rule applies to
--hostcat HOSTCATHost category the rule applies to
--desc DESCDescription
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

selinuxusermap-add-host

Usage: ipa [global-options] selinuxusermap-add-host NAME [options]

Add target hosts and hostgroups to an SELinux User Map rule.

Arguments

ArgumentRequiredDescription
NAMEyesRule name

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--hosts HOSTShosts to add
--hostgroups HOSTGROUPShost groups to add

selinuxusermap-add-user

Usage: ipa [global-options] selinuxusermap-add-user NAME [options]

Add users and groups to an SELinux User Map rule.

Arguments

ArgumentRequiredDescription
NAMEyesRule name

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to add
--groups GROUPSgroups to add

selinuxusermap-del

Usage: ipa [global-options] selinuxusermap-del NAME [options]

Delete a SELinux User Map.

Arguments

ArgumentRequiredDescription
NAMEyesRule name

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

selinuxusermap-disable

Usage: ipa [global-options] selinuxusermap-disable NAME [options]

Disable an SELinux User Map rule.

Arguments

ArgumentRequiredDescription
NAMEyesRule name

selinuxusermap-enable

Usage: ipa [global-options] selinuxusermap-enable NAME [options]

Enable an SELinux User Map rule.

Arguments

ArgumentRequiredDescription
NAMEyesRule name

selinuxusermap-find

Usage: ipa [global-options] selinuxusermap-find [CRITERIA] [options]

Search for SELinux User Maps.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--name NAMERule name
--selinuxuser SELINUXUSERSELinux User
--hbacrule HBACRULEHBAC Rule that defines the users, groups and hostgroups
--usercat USERCATUser category the rule applies to
--hostcat HOSTCATHost category the rule applies to
--desc DESCDescription
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“name”)

selinuxusermap-mod

Usage: ipa [global-options] selinuxusermap-mod NAME [options]

Modify a SELinux User Map.

Arguments

ArgumentRequiredDescription
NAMEyesRule name

Options

OptionDescription
--selinuxuser SELINUXUSERSELinux User
--hbacrule HBACRULEHBAC Rule that defines the users, groups and hostgroups
--usercat USERCATUser category the rule applies to
--hostcat HOSTCATHost category the rule applies to
--desc DESCDescription
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

selinuxusermap-remove-host

Usage: ipa [global-options] selinuxusermap-remove-host NAME [options]

Remove target hosts and hostgroups from an SELinux User Map rule.

Arguments

ArgumentRequiredDescription
NAMEyesRule name

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--hosts HOSTShosts to remove
--hostgroups HOSTGROUPShost groups to remove

selinuxusermap-remove-user

Usage: ipa [global-options] selinuxusermap-remove-user NAME [options]

Remove users and groups from an SELinux User Map rule.

Arguments

ArgumentRequiredDescription
NAMEyesRule name

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to remove
--groups GROUPSgroups to remove

selinuxusermap-show

Usage: ipa [global-options] selinuxusermap-show NAME [options]

Display the properties of a SELinux User Map rule.

Arguments

ArgumentRequiredDescription
NAMEyesRule name

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.