"ipa config-mod --setattr=ipaselinuxusermapdefault" does modify Default SELinux user without checking the selinux user order list.

Notice in the following steps (#2) that "ipa config-mod --ipaselinuxusermapdefault=unknowntype_u:s0" throws error "invalid 'ipaselinuxusermaporder': Default SELinux user map default user not in order list".

Steps to Reproduce:

1.[root@ipaqavme ipa-selinuxusermap-cli]# ipa config-show
Maximum username length: 32
Home directory base: /home
Default shell: /bin/sh
Default users group: ipausers
Default e-mail domain: testrelm.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=TESTRELM.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: guest_u:s0

1. [root@ipaqavme ipa-selinuxusermap-cli]# ipa config-mod --ipaselinuxusermapdefault=unknowntype_u:s0
   ipa: ERROR: invalid 'ipaselinuxusermaporder': Default SELinux user map default user not in order list

2. [root@ipaqavme ipa-selinuxusermap-cli]# ipa config-mod --setattr=ipaselinuxusermapdefault=unknowntype_u:s0
   Maximum username length: 32
   Home directory base: /home
   Default shell: /bin/sh
   Default users group: ipausers
   Default e-mail domain: testrelm.com
   Search time limit: 2
   Search size limit: 100
   User search fields: uid,givenname,sn,telephonenumber,ou,title
   Group search fields: cn,description
   Enable migration mode: FALSE
   Certificate Subject base: O=TESTRELM.COM
   Password Expiration Notification (days): 4
   Password plugin features: AllowNThash
   SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
   Default SELinux user: unknowntype_u:s0