Product SiteDocumentation Site

10.4.11.3. Creating a User With a Specific MLS Range

Follow these steps to create a new Linux user with a specific MLS range:

Procedure 10.25. Creating a User With a Specific MLS Range

  1. Add a new Linux user using the useradd command and map the new Linux user to an existing SELinux user (in this case, user_u):
    ~]# useradd -Z user_u john
  2. Assign the newly-created Linux user a password:
    prompt~]# passwd john
  3. Run the following command as root to view the mapping between SELinux and Linux users. The output should be as follows:
    ~]# semanage login -l
    
    Login Name           SELinux User         MLS/MCS Range        Service
    
    __default__          unconfined_u         s0-s0:c0.c1023       *
    john                 user_u               s0                   *
    root                 unconfined_u         s0-s0:c0.c1023       *
    system_u             system_u             s0-s0:c0.c1023       *
    
  4. Define a specific range for user john:
    ~]# semanage login --modify --seuser user_u --range s2:c100 john
  5. View the mapping between SELinux and Linux users again. Note that the user john now has a specific MLS range defined:
    ~]# semanage login -l
    
    Login Name           SELinux User         MLS/MCS Range        Service
    
    __default__          unconfined_u         s0-s0:c0.c1023       *
    john                 user_u               s2:c100              *
    root                 unconfined_u         s0-s0:c0.c1023       *
    system_u             system_u             s0-s0:c0.c1023       *
    
  6. To correct the label on john's home directory (if needed), run the following command:
    ~]# chcon -R -l s2:c100 /home/john