Setting the Default User Mapping

This task shows how to change the default user mapping from unconfined_u to another SELinux user.

On most newly installed systems, the default user mapping is set to the unconfined_u SELinux user to provide a less restrictive environment for general use. In some environments where strict policy enforcement is required, such as when conforming to a Security Technical Implementation Guide (STIG), you might need to map all Oracle Linux user accounts to appropriate confined SELinux users so that a system is better protected by the SELinux policy rules that you're enforcing.

  1. Change the default user mapping.

    To change the default user mapping so that any user accounts that don't have explicit SELinux user mappings are confined to the SELinux user_u user, run: 

    sudo semanage login -m -s user_u -r s0 __default__
  2. Verify the change.

    Check that the __default__ user mapping is no longer set to the unconfined_u SELinux user by running: 

    semanage login -l

Note that the unconfined security context continues to apply to users after this change until the user session or the process is restarted under the new context. To enforce this change at a system-wide level, reboot the system.