Defining the category ranges for an SELinux user

To specify the category ranges that are available to the SELinux user_u user, use the semanage command. For example:

sudo semanage user -m -rs0:c0,c1-s0:c0.c9 user_u

Use category numbers c0 to c1023, or category aliases if you're using the mcstrans service. In this example, the category range of c0 to c9 is assigned to the user_u user.

Specifying individual categories for an SELinux user

For each Oracle Linux user that's mapped to an SELinux user, for which you have defined a category range, you can specify the individual categories that apply. For example, to apply the c1 category to the oracle user you can run:

sudo semanage login -m -rs0:c1 oracle

The categories that you assign to users must be within the range that you defined for the mapped SELinux user.

Changing the categories that apply to an SELinux user

You can also use the chcat -l command to change which categories apply to a user. For example, you can add the c2 category to oracle and remove the c1 category:

sudo chcat -l -- +c2,-c1 oracle

The command uses -- to indicate that the - character isn't to be interpreted as an option switch.

See the chcat(8) and semanage-user(8) manual pages for more information.