Scroll to navigation

semanage-login(8) semanage-login(8)


semanage-login - SELinux Policy Management linux user to SELinux User mapping tool


semanage login [-h] [-n] [-N] [-S STORE] [ --add -s SEUSER -r RANGE LOGIN | --delete LOGIN | --deleteall | --extract | --list [-C] | --modify -s SEUSER -r RANGE LOGIN ]


semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage login controls the mapping between a Linux User and the SELinux User. It can be used to turn on confined users. For example you could define that a particular user or group of users will login to a system as the user_u user. Prefix the group name with a '%' sign to indicate a group name.


Show this help message and exit
Do not print heading when listing the specified object type
Do not reload policy after commit
List local customizations
Select an alternate SELinux Policy Store to manage
Add a record of the specified object type
Delete a record of the specified object type
Modify a record of the specified object type
List records of the specified object type
Extract customizable commands, for use within a transaction
Remove all local customizations
SELinux user name
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.


Set the default SELinux user on the system to guest_u
# semanage login -m -s guest_u __default__
Map user gijoe to SELinux user staff_u and assign MLS range SystemLow-Secret
# semanage login -a -s staff_u -rSystemLow-Secret gijoe
Map all users in the engineering group to SELinux user staff_u
# semanage login -a -s staff_u %engineering


selinux(8), semanage(8), semanage-user(8)


This man page was written by Daniel Walsh <>