SELinux User Mapping
Manage SELinux user context mapping for IPA users on client systems. SELinux user maps assign SELinux user contexts to IPA users and hosts, controlling the SELinux domain users run in. Features include user and host category specification, SELinux user assignment (guest_u, user_u, staff_u, etc.), priority ordering, enable/disable controls, and integration with SSSD for applying SELinux contexts during user login.
Map IPA users to SELinux users by host.
Hosts, hostgroups, users and groups can be either defined within the
rule or it may point to an existing HBAC rule. When using —hbacrule
option to selinuxusermap-find an exact match is made on the HBAC rule
name, so only one or zero entries will be returned.
EXAMPLES
Create a rule, “test1”, that sets all users to xguest_u:s0 on the host “server”:
ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1 ipa selinuxusermap-add-host --hosts=server.example.com test1Create a rule, “test2”, that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts:
ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2Display the properties of a rule:
ipa selinuxusermap-show test2Create a rule for a specific user. This sets the SELinux context for
user john to unconfined_u:s0-s0:c0.c1023 on any machine:
ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined ipa selinuxusermap-add-user --users=john john_unconfinedDisable a rule:
ipa selinuxusermap-disable test1Enable a rule:
ipa selinuxusermap-enable test1Find a rule referencing a specific HBAC rule:
ipa selinuxusermap-find --hbacrule=allow_someRemove a rule:
ipa selinuxusermap-del john_unconfined
SEEALSO
The list controlling the order in which the SELinux user map is applied
and the default SELinux user are available in the
config-showcommand.
Use Cases
1. Restricting Contractors to Guest Context
Assign contractors to restrictive SELinux guest context to limit system access.
# Create contractor group if not exists
ipa group-add contractors --desc="External contractor accounts"
ipa group-add-member contractors --users=jdoe,asmith
# Create SELinux user map for contractors
ipa selinuxusermap-add contractor-restrict \
--selinuxuser=guest_u:s0 \
--hostcat=all \
--desc="Contractors run as guest_u on all systems"
# Add contractors group to rule
ipa selinuxusermap-add-user contractor-restrict --groups=contractors
# Verify rule
ipa selinuxusermap-show contractor-restrict
# When contractor logs in, SSSD applies guest_u context
# guest_u is very restrictive: no network access, no X11, limited file access
2. Assigning Staff Context to System Administrators
Grant system administrators staff_u context for elevated but still controlled access.
# Create sysadmin SELinux mapping
ipa selinuxusermap-add sysadmin-staff \
--selinuxuser=staff_u:s0-s0:c0.c1023 \
--hostcat=all \
--desc="System administrators run as staff_u"
# Add sysadmin group
ipa selinuxusermap-add-user sysadmin-staff --groups=sysadmins
# staff_u allows sudo to sysadm_t domain
# Provides separation between normal and administrative tasks
3. Using HBAC Rule Integration
Reuse existing HBAC rule logic for SELinux user mapping.
# Assume HBAC rule "webserver-access" already defines
# which users can access which web servers
# Create SELinux map referencing HBAC rule
ipa selinuxusermap-add webserver-context \
--selinuxuser=user_u:s0 \
--hbacrule=webserver-access \
--desc="Web server admins get user_u context"
# Users, groups, hosts, and hostgroups automatically
# inherited from HBAC rule "webserver-access"
# Verify the association
ipa selinuxusermap-show webserver-context
4. Developer Workstation Unconfined Access
Grant developers unconfined SELinux context on development workstations.
# Create developer workstation hostgroup
ipa hostgroup-add dev-workstations \
--desc="Developer desktop and laptop systems"
ipa hostgroup-add-member dev-workstations \
--hosts=devbox01.example.com,devbox02.example.com
# Create SELinux map for developers on dev workstations
ipa selinuxusermap-add developer-unconfined \
--selinuxuser=unconfined_u:s0-s0:c0.c1023 \
--desc="Developers run unconfined on dev workstations"
# Add developer group and dev workstation hostgroup
ipa selinuxusermap-add-user developer-unconfined --groups=developers
ipa selinuxusermap-add-host developer-unconfined --hostgroups=dev-workstations
# On production servers, developers get more restrictive context
# via different rule with higher priority
5. Kiosk Mode with Xguest Context
Configure public kiosk systems with highly restrictive xguest_u SELinux context.
# Create hostgroup for kiosk systems
ipa hostgroup-add kiosks --desc="Public kiosk terminals"
ipa hostgroup-add-member kiosks --hosts=kiosk01.example.com,kiosk02.example.com
# Create kiosk user account
ipa user-add kiosk --first=Kiosk --last=User \
--password # Set simple password
# Create SELinux map for kiosk user
ipa selinuxusermap-add kiosk-xguest \
--selinuxuser=xguest_u:s0 \
--desc="Kiosk terminals run as xguest_u"
ipa selinuxusermap-add-user kiosk-xguest --users=kiosk
ipa selinuxusermap-add-host kiosk-xguest --hostgroups=kiosks
# xguest_u provides:
# - Firefox allowed but cannot save files
# - No network except HTTP/HTTPS
# - Cannot execute files from home directory
# - Minimal system access
6. Managing Rule Priority with Order
Control SELinux user map application order when multiple rules match.
# Check current order configuration
ipa config-show | grep "SELinux user map order"
# Default order processes rules from config-show output
# More specific rules should be processed before general ones
# Example: specific rule for DBAs on database servers
ipa selinuxusermap-add dba-dbservers \
--selinuxuser=staff_u:s0-s0:c0.c1023 \
--desc="DBAs on database servers get staff_u"
ipa selinuxusermap-add-user dba-dbservers --groups=dbas
ipa selinuxusermap-add-host dba-dbservers --hostgroups=database-servers
# General rule for all DBAs on other systems (lower priority)
ipa selinuxusermap-add dba-default \
--selinuxuser=user_u:s0 \
--hostcat=all \
--desc="DBAs on non-database systems get user_u"
ipa selinuxusermap-add-user dba-default --groups=dbas
# First matching rule wins; ensure specific rules listed first in order
# Modify order with: ipa config-mod --selinuxusermaporder=...
7. Temporarily Disabling SELinux Mapping Rule
Disable rule for testing or troubleshooting without deleting configuration.
# Disable rule temporarily
ipa selinuxusermap-disable contractor-restrict
# Verify rule is disabled
ipa selinuxusermap-show contractor-restrict | grep Enabled
# Should show: Enabled: FALSE
# Users affected by this rule now fall through to next matching rule
# or default SELinux user from config-show
# After testing, re-enable
ipa selinuxusermap-enable contractor-restrict
# Verify re-enabled
ipa selinuxusermap-show contractor-restrict | grep Enabled
# Should show: Enabled: TRUE
8. Auditing Current SELinux User Mapping Configuration
Review all SELinux user maps for security audit or documentation.
# List all SELinux user maps
ipa selinuxusermap-find --sizelimit=0
# Generate detailed report for each rule
for rule in $(ipa selinuxusermap-find --pkey-only | grep "Rule name:" | awk '{print $3}'); do
echo "==================================="
echo "Rule: $rule"
echo "==================================="
ipa selinuxusermap-show "$rule"
echo ""
done > selinux-maps-audit.txt
# Check default SELinux user for unmapped users
ipa config-show | grep -i selinux
cat selinux-maps-audit.txt
9. Setting User-Specific SELinux Context
Assign specific SELinux context to individual user across all or specific hosts.
# Security officer needs sysadm_u context everywhere
ipa selinuxusermap-add secoff-sysadm \
--selinuxuser=sysadm_u:s0-s0:c0.c1023 \
--hostcat=all \
--desc="Security officer gets sysadm_u context"
ipa selinuxusermap-add-user secoff-sysadm --users=security-officer
# When security-officer logs in anywhere, gets sysadm_u
# This is most privileged SELinux user context
10. Testing SELinux User Map Application
Verify SELinux user mapping works correctly on client system.
# On IPA client, force SSSD cache refresh
sudo sss_cache -E
# Check what SELinux context user will get
sudo sss_cache -u testuser
id -Z testuser
# Should show: user_u:user_r:user_t:s0 (or configured context)
# Test actual login
ssh testuser@client.example.com
id -Z
# Should show configured SELinux context from mapping rule
# Check SSSD logs for SELinux mapping
sudo tail -f /var/log/sssd/sssd_example.com.log | grep -i selinux
# Verify which rule matched
ipa selinuxusermap-find --users=testuser
ipa selinuxusermap-find --groups=testuser-group
Security Considerations
1. Unconfined Context Assignment Risks
Assigning unconfined_u SELinux context removes mandatory access control protections.
- unconfined_u bypasses SELinux policy enforcement, similar to SELinux permissive mode
- Users with unconfined_u can access any file their DAC permissions allow
- Compromise of unconfined_u user account provides attacker minimal SELinux restrictions
- Limit unconfined_u to highly trusted users on development/test systems only
- Production systems should use confined contexts (user_u, staff_u) wherever possible
2. Guest Context Escape Attempts
guest_u and xguest_u contexts are restrictive; users may attempt to bypass limitations.
- Guest users cannot run programs from home directory; may try /tmp or /dev/shm
- xguest_u blocks most network access but users may attempt port forwarding or tunneling
- Monitor for guest user attempts to execute unauthorized programs
- Review SELinux AVCs (Access Vector Cache) denials regularly:
ausearch -m avc - Enable SELinux boolean restrictions to further harden guest contexts
3. Rule Priority Confusion
When multiple SELinux user maps match a user, only first matching rule applies.
- Rule order configured in
ipa config-showoutput determines precedence - Unintended rule order may grant excessive or insufficient privileges
- Specific rules (particular users/hosts) should be ordered before general rules (categories)
- Test rule changes with non-privileged test account before production deployment
- Document rule priority design in security architecture documentation
4. HBAC Rule Coupling Complexity
Using --hbacrule option couples SELinux mapping to HBAC rule lifecycle.
- Changes to HBAC rule membership automatically change SELinux map scope
- Deleting HBAC rule may break SELinux map (verify behavior)
- Difficult to audit which users get which SELinux context without evaluating HBAC rules
- Prefer explicit user/group/host specification for SELinux maps unless HBAC coupling intentional
- Document HBAC rule dependencies in SELinux map descriptions
5. Default SELinux User Fallback
Users not matching any SELinux user map receive default context from IPA configuration.
- Default SELinux user configured in
ipa config-show(typically unconfined_u or user_u) - Overly permissive default grants excessive privileges to unmatched users
- Set default to most restrictive context appropriate for environment (user_u or guest_u)
- Explicitly map all user populations; don’t rely on default for important users
- Monitor unmapped users: compare user list to SELinux map coverage
6. SELinux Context Privilege Escalation
staff_u and sysadm_u contexts allow privilege escalation through sudo.
- staff_u can sudo to sysadm_t domain, gaining root-equivalent SELinux privileges
- sysadm_u has broad SELinux privileges; compromise is severe
- Even with SELinux, sudo configuration still critical for authorization
- Assign staff_u/sysadm_u only to users who need sudo access
- Combine SELinux user maps with restrictive sudo rules for defense in depth
7. Client-Side SELinux Enforcement Dependency
SELinux user mapping relies on client systems having SELinux enabled and enforcing.
- Clients with SELinux disabled or permissive ignore SELinux user maps entirely
- Users can boot single-user mode or live media to bypass SELinux enforcement
- SELinux provides defense-in-depth, not perimeter security
- Deploy configuration management to enforce SELinux enabled on all clients
- Physical security critical for workstations; SELinux cannot prevent physical access attacks
8. Category All Overuse
Using --usercat=all or --hostcat=all creates overly broad rules.
- Broad categories make rules harder to reason about and audit
- New users or hosts automatically included in broad category rules
- Changes to user population affect SELinux context assignment unexpectedly
- Prefer explicit user groups and host groups for precise control
- Use categories only for truly universal policies (e.g., “all users on kiosks get xguest_u”)
9. MLS/MCS Range Misconfigurations
Multi-Level Security (MLS) and Multi-Category Security (MCS) ranges require careful configuration.
- Incorrect MCS ranges can prevent users from accessing their own files
- s0-s0:c0.c1023 is typical range for full MCS access
- Single-level labels (e.g., user_u:s0) restrict access to files labeled s0 only
- MLS/MCS label mismatches cause “Permission denied” even with correct DAC permissions
- Test MCS configurations in non-production environment before deployment
10. Disabled Rule Management
Disabled SELinux user maps remain in configuration but don’t apply; can cause confusion.
- Administrators may forget disabled rules exist and create duplicate rules
- Re-enabling old disabled rule may have unintended effects if environment changed
- Disabled rules should be documented with reason and date in description field
- Periodically review disabled rules; delete if no longer needed
- Consider deleting instead of disabling unless rule re-enablement anticipated soon
11. SELinux User Map Bypass via Local Override
Local /etc/selinux/targeted/seusers file can override IPA SELinux user maps.
- SSSD respects local seusers entries over IPA-provided mappings
- Attacker with root on client can modify local seusers to change own context
- Configuration management should enforce no local seusers modifications
- Monitor /etc/selinux/targeted/seusers for unauthorized changes
- Root compromise on client always grants full control regardless of SELinux maps
12. Audit and Logging Limitations
SELinux user map application not explicitly logged in IPA audit trail.
- IPA logs map creation/modification/deletion but not per-login application
- SSSD logs on client show which mapping applied but logs may not be centralized
- Difficult to audit “who had what SELinux context where and when” historically
- Centralize SSSD logs from all clients to SIEM for security analysis
- Correlate SSSD SELinux mapping logs with authentication logs for complete picture
Troubleshooting
1. SELinux Context Not Applied on Client
Symptom: User logs in but receives default SELinux context instead of mapped context from IPA rule.
Diagnosis:
# On IPA server, verify rule exists and is enabled
ipa selinuxusermap-find --users=testuser
ipa selinuxusermap-show rule-name
# On client, check SSSD configuration
sudo cat /etc/sssd/sssd.conf | grep selinux
# Should have: selinux_provider = ipa
# Check if SSSD retrieving SELinux maps
sudo sss_cache -E
sudo systemctl restart sssd
id -Z testuser
Resolution:
- Ensure
selinux_provider = ipaset in /etc/sssd/sssd.conf on client - Verify rule is enabled:
ipa selinuxusermap-show rule-name | grep Enabled - Check user/host membership in rule matches
- Force SSSD cache refresh:
sudo sss_cache -E - Review SSSD logs:
sudo tail -f /var/log/sssd/sssd_example.com.log
2. Multiple Rules Match - Wrong One Applied
Symptom: User has SELinux context from unexpected rule; multiple rules match user/host.
Diagnosis:
# Find all rules matching user
ipa selinuxusermap-find --users=testuser
ipa selinuxusermap-find --groups=testuser-group
# Check rule order configuration
ipa config-show | grep "SELinux user map order"
# First matching rule in order wins
Resolution:
- Review rule order from
ipa config-showoutput - First matching rule in order is applied; subsequent matches ignored
- Reorder rules with
ipa config-mod --selinuxusermaporder=rule1,rule2,rule3 - More specific rules should come before general rules
- Add
--descto rules explaining priority rationale
3. Permission Denied Despite Correct DAC Permissions
Symptom: User cannot access files they own; SELinux denials in audit log.
Diagnosis:
# Check SELinux context of user
id -Z
# Check SELinux context of file
ls -Z /path/to/file
# Search for SELinux denials
sudo ausearch -m avc -ts recent
# Check if SELinux enforcing
getenforce
Resolution:
- Verify user’s SELinux context matches required context for file access
- MLS/MCS level mismatch common cause: user at s0 cannot access s0:c0.c1023 files
- Check if SELinux boolean needs enabling:
getsebool -a | grep user - May need to relabel files:
restorecon -Rv /path/to/directory - Review SELinux user map; ensure correct context assigned
4. SELinux User Map Not Appearing in Find Results
Symptom: Created SELinux user map but cannot find it with selinuxusermap-find.
Diagnosis:
# Try showing by exact name
ipa selinuxusermap-show exact-rule-name
# List all rules without filter
ipa selinuxusermap-find --sizelimit=0
# Check if replication delayed
ipa-replica-manage list
Resolution:
- Verify rule name spelling; rule names case-sensitive
- Check replication status if multi-master deployment
- Rule may have been created on different server and not yet replicated
- Wait 30 seconds and retry; replication typically fast
- Use
--allflag to see all attributes:ipa selinuxusermap-show rule-name --all
5. Cannot Add User to SELinux User Map
Symptom: selinuxusermap-add-user fails with “user not found” error.
Diagnosis:
# Verify user exists
ipa user-show username
# Verify group exists if adding group
ipa group-show groupname
# Check for typos in username/groupname
ipa user-find username
ipa group-find groupname
Resolution:
- User or group must exist in IPA before adding to SELinux user map
- Create user/group first:
ipa user-addoripa group-add - Use exact username/groupname as shown in
ipa user-find/ipa group-find - Cannot add external users directly; add external users to group, then add group to map
6. Cannot Use Both Category and Explicit Members
Symptom: Error when trying to add specific users after setting --usercat=all.
Diagnosis:
# Check current rule configuration
ipa selinuxusermap-show rule-name
# Category "all" is mutually exclusive with explicit members
Resolution:
- Cannot mix
--usercat=allwith specific--usersor--groups - Cannot mix
--hostcat=allwith specific--hostsor--hostgroups - Choose either category “all” or explicit member list, not both
- Remove category:
ipa selinuxusermap-mod rule-name --usercat= - Then add explicit members:
ipa selinuxusermap-add-user rule-name --users=user1
7. HBAC Rule Changes Not Reflected in SELinux Map
Symptom: Modified HBAC rule but SELinux map still uses old membership.
Diagnosis:
# Show SELinux map with HBAC rule association
ipa selinuxusermap-show selinux-rule-name
# Show associated HBAC rule
ipa hbacrule-show hbac-rule-name
# On client, check SSSD cache age
sudo sss_cache -E
Resolution:
- SSSD caches SELinux map data; refresh cache:
sudo sss_cache -E - Restart SSSD if cache refresh insufficient:
sudo systemctl restart sssd - HBAC rule changes immediately affect SELinux map on server side
- Client-side caching delays propagation; cache refresh forces update
- Default cache timeout varies; check sssd.conf entry_cache_timeout
8. Guest User Can Execute Programs from Home
Symptom: User assigned guest_u context but can still execute binaries from home directory.
Diagnosis:
# Verify user's actual SELinux context
id -Z
# Check SELinux booleans for guest users
getsebool -a | grep guest
# Try executing program from home
~/test.sh # Should be denied if guest_u working correctly
Resolution:
- Verify user actually has guest_u context; check
id -Z - SELinux boolean may allow guest execution: check
guest_exec_content - Disable:
sudo setsebool -P guest_exec_content off - Check if SELinux enforcing:
getenforce(should be “Enforcing”) - Review file context: files in home may be mislabeled
9. Unconfined User Still Getting SELinux Denials
Symptom: User assigned unconfined_u but still receives permission denied from SELinux.
Diagnosis:
# Verify user's context
id -Z
# Should show: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# Check recent denials
sudo ausearch -m avc -ts recent | grep unconfined
# Verify SELinux mode
getenforce
Resolution:
- Even unconfined_u has some restrictions (e.g., cannot modify SELinux policy)
- Verify user’s domain is unconfined_t; some policies use different domains
- Check MCS label: unconfined_u:s0 is more restricted than unconfined_u:s0-s0:c0.c1023
- True unconfined access requires both correct user (unconfined_u) and range (s0-s0:c0.c1023)
- Review specific denial in audit log; may indicate legitimate SELinux enforcement
10. SELinux Map Order Configuration Not Persisting
Symptom: Modified SELinux user map order with config-mod but order resets after replication.
Diagnosis:
# Check current order
ipa config-show | grep "SELinux user map order"
# Modify order
ipa config-mod --selinuxusermaporder=rule1,rule2,rule3
# Verify immediately
ipa config-show | grep "SELinux user map order"
# Check on other replica
ssh ipa02.example.com
ipa config-show | grep "SELinux user map order"
Resolution:
- Config changes replicate normally; wait for replication if multi-master
- Order is comma-separated list of rule names; verify exact spelling
- Check replication status:
ipa-replica-manage list - Order includes only enabled rules; disabled rules ignored in ordering
- All rule names in order must exist or config-mod fails
11. Cannot Delete SELinux User Map - In Use
Symptom: selinuxusermap-del fails indicating rule is in use.
Diagnosis:
# Show rule details
ipa selinuxusermap-show rule-name --all
# Check if rule has members
ipa selinuxusermap-show rule-name
# Check if referenced by other configuration
ipa config-show | grep rule-name
Resolution:
- First remove all users and hosts from rule
- Then disable rule:
ipa selinuxusermap-disable rule-name - Remove from order if present:
ipa config-mod --selinuxusermaporder=... - Then delete:
ipa selinuxusermap-del rule-name - If still failing, use
--continueflag to force deletion
12. SELinux Context Prevents SSH Login
Symptom: User cannot SSH to system; connection rejected or immediately disconnected.
Diagnosis:
# Check SSH daemon SELinux context requirements
sudo ausearch -m avc -ts recent | grep sshd
# Check user's assigned SELinux context
id -Z username
# Review SSH logs
sudo tail -f /var/log/secure
Resolution:
- Some SELinux users (guest_u, xguest_u) may be restricted from SSH depending on policy
- Check SELinux boolean:
getsebool -a | grep ssh - May need:
sudo setsebool -P ssh_sysadm_login onfor sysadm_u SSH access - Verify sshd_t domain allows user’s SELinux user type
- Consider less restrictive context if SSH required (user_u instead of guest_u)
13. Description Field Truncated or Not Displaying
Symptom: SELinux user map description not showing completely.
Diagnosis:
# Show with --all flag
ipa selinuxusermap-show rule-name --all
# Check description length
ipa selinuxusermap-show rule-name | grep Description
Resolution:
- Default output may truncate long descriptions; use
--allflag for complete output - Description field has length limit (typically 1024 chars)
- Very long descriptions may need to be in external documentation
- Update description:
ipa selinuxusermap-mod rule-name --desc="New description"
14. SELinux User Map Works on Some Clients But Not Others
Symptom: Same user gets correct SELinux context on some clients but not others.
Diagnosis:
# On working client
cat /etc/sssd/sssd.conf | grep selinux
id -Z username
# On broken client
cat /etc/sssd/sssd.conf | grep selinux
id -Z username
# Check SSSD version
sssd --version
Resolution:
- Verify
/etc/sssd/sssd.confhasselinux_provider = ipaon broken client - Check SSSD version consistency; old SSSD may not support SELinux mapping
- Minimum SSSD version for IPA SELinux mapping: 1.9.0+
- Restart SSSD on broken client:
sudo systemctl restart sssd - Review client SELinux policy version; may need updates
15. Testing Rule Before Production Deployment
Symptom: Want to test SELinux user map without affecting production users.
Diagnosis:
# Create test user
ipa user-add testselinux --first=Test --last=SELinux
# Create test rule
ipa selinuxusermap-add test-rule \
--selinuxuser=staff_u:s0-s0:c0.c1023 \
--hostcat=all
# Add only test user
ipa selinuxusermap-add-user test-rule --users=testselinux
Resolution:
- Create rule targeting test user or test hostgroup only
- Test on non-production client system first
- SSH as test user and verify context:
ssh testuser@testclient.example.com id -Z - Check application behavior with assigned context
- After successful testing, modify rule to add production users/groups
- Keep test rule disabled when not actively testing:
ipa selinuxusermap-disable test-rule
Commands
selinuxusermap-add
Usage: ipa [global-options] selinuxusermap-add NAME [options]
Create a new SELinux User Map.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Rule name |
Options
| Option | Description |
|---|---|
--selinuxuser SELINUXUSER | SELinux User |
--hbacrule HBACRULE | HBAC Rule that defines the users, groups and hostgroups |
--usercat USERCAT | User category the rule applies to |
--hostcat HOSTCAT | Host category the rule applies to |
--desc DESC | Description |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
selinuxusermap-add-host
Usage: ipa [global-options] selinuxusermap-add-host NAME [options]
Add target hosts and hostgroups to an SELinux User Map rule.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Rule name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--hosts HOSTS | hosts to add |
--hostgroups HOSTGROUPS | host groups to add |
selinuxusermap-add-user
Usage: ipa [global-options] selinuxusermap-add-user NAME [options]
Add users and groups to an SELinux User Map rule.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Rule name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to add |
--groups GROUPS | groups to add |
selinuxusermap-del
Usage: ipa [global-options] selinuxusermap-del NAME [options]
Delete a SELinux User Map.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Rule name |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
selinuxusermap-disable
Usage: ipa [global-options] selinuxusermap-disable NAME [options]
Disable an SELinux User Map rule.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Rule name |
selinuxusermap-enable
Usage: ipa [global-options] selinuxusermap-enable NAME [options]
Enable an SELinux User Map rule.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Rule name |
selinuxusermap-find
Usage:
ipa [global-options] selinuxusermap-find [CRITERIA] [options]
Search for SELinux User Maps.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--name NAME | Rule name |
--selinuxuser SELINUXUSER | SELinux User |
--hbacrule HBACRULE | HBAC Rule that defines the users, groups and hostgroups |
--usercat USERCAT | User category the rule applies to |
--hostcat HOSTCAT | Host category the rule applies to |
--desc DESC | Description |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“name”) |
selinuxusermap-mod
Usage: ipa [global-options] selinuxusermap-mod NAME [options]
Modify a SELinux User Map.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Rule name |
Options
| Option | Description |
|---|---|
--selinuxuser SELINUXUSER | SELinux User |
--hbacrule HBACRULE | HBAC Rule that defines the users, groups and hostgroups |
--usercat USERCAT | User category the rule applies to |
--hostcat HOSTCAT | Host category the rule applies to |
--desc DESC | Description |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
selinuxusermap-remove-host
Usage:
ipa [global-options] selinuxusermap-remove-host NAME [options]
Remove target hosts and hostgroups from an SELinux User Map rule.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Rule name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--hosts HOSTS | hosts to remove |
--hostgroups HOSTGROUPS | host groups to remove |
selinuxusermap-remove-user
Usage:
ipa [global-options] selinuxusermap-remove-user NAME [options]
Remove users and groups from an SELinux User Map rule.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Rule name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to remove |
--groups GROUPS | groups to remove |
selinuxusermap-show
Usage: ipa [global-options] selinuxusermap-show NAME [options]
Display the properties of a SELinux User Map rule.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Rule name |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |