selogin – Manages linux user to SELinux user mapping

New in version 2.8.

Synopsis

  • Manages linux user to SELinux user mapping

Requirements

The below requirements are needed on the host that executes this module.

  • libselinux

  • policycoreutils

Parameters

Parameter Choices/Defaults Comments
ignore_selinux_state
boolean
    Choices:
  • no ←
  • yes
Run independent of selinux runtime state
login
- / required
a Linux user
reload
-
Default:
"yes"
Reload SELinux policy after commit.
selevel
-
Default:
"s0"
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range.

aliases: serange
seuser
- / required
SELinux user name
state
- / required
    Choices:
  • present ←
  • absent
Desired mapping value.

Notes

Note

  • The changes are persistent across reboots

  • Not tested on any debian based system

Examples

# Modify the default user on the system to the guest_u user
- selogin:
    login: __default__
    seuser: guest_u
    state: present

# Assign gijoe user on an MLS machine a range and to the staff_u user
- selogin:
    login: gijoe
    seuser: staff_u
    serange: SystemLow-Secret
    state: present

# Assign all users in the engineering group to the staff_u user
- selogin:
    login: '%engineering'
    seuser: staff_u
    state: present

Status

Authors

  • Dan Keder (@dankeder)

  • Petr Lautrbach (@bachradsusi)

  • James Cassell (@jamescassell)

Hint

If you notice any issues in this documentation you can edit this document to improve it.