You can control a user's access to resources by applying MCS categories to the user. You can define category ranges that are available to each SELinux user and you can specify subranges for each Oracle Linux user account that's mapped to an SELinux user. See Administering SELinux Users for more information on the different SELinux users and how to manage mappings between these users and standard Oracle Linux users.

1. To define the category ranges that are available to the SELinux user_u user, run:

   sudo semanage user -m -rs0:c0,c1-s0:c0.c9 user_u

   Use category numbers c0 to c1023, or category aliases if you are using the mcstrans service. In the example, the category range of c0 to c9 is assigned to the user_u user.

2. For each Oracle Linux user that's mapped to an SELinux user, for which you have defined a category range, you can specify the individual categories that apply. For example, to apply the c1 category to the oracle user you can run:

   sudo semanage login -m -rs0:c1 oracle

   The categories that you assign to users must be within the range that you defined for the mapped SELinux user.

   You can equally use the chcat -l command to modify which categories apply to a user. For example, you can add the c2 category to oracle and remove the c1 category:

   sudo chcat -l -- +c2,-c1 oracle

   The command uses -- to indicate that the - character isn't to be interpreted as an option switch.

See the chcat(8) and semanage-user(8) manual pages for more information.