1semanage(8) semanage(8)
2
6 semanage - SELinux Policy Management tool
7
10 Output local customizations
11 semanage [ -S store ] -o [ output_file | - ]
12 Input local customizations
14 semanage [ -S store ] -i [ input_file | - ]
15 Manage booleans. Booleans allow the administrator to modify the con‐
17 finement of processes based on his configuration.
18 semanage boolean [-S store] -{d|m|l|n|D} [-N] -[-on|-off|1|0] -F bool‐
19 ean | boolean_file
20 Manage SELinux confined users (Roles and levels for an SELinux user)
22 semanage user [-S store] -{a|d|m|l|n|D} [-LrRPN] selinux_name
23 Manage login mappings between linux users and SELinux confined users.
25 semanage login [-S store] -{a|d|m|l|n|D} [-srN] login_name | %groupname
26 Manage policy modules.
28 semanage module [-S store] -{a|d|l} [-N] [-m [--enable | --disable] ]
29 module_name
30 Manage network port type definitions
32 semanage port [-S store] -{a|d|m|l|n|D} [-trN] [-p proto] port |
33 port_range
34 Manage network interface type definitions
36 semanage interface [-S store] -{a|d|m|l|n|D} [-trN] interface_spec
37 Manage network node type definitions
39 semanage node [-S store] -{a|d|m|l|n|D} [-trN] [ -p protocol ] [-M net‐
40 mask] address
41 Manage file context mapping definitions
43 semanage fcontext [-S store] -{a|d|m|l|n|D} [-frstN] file_spec
44 semanage fcontext [-S store] -{a|d|m|l|n|D} -e replacement target
45 Manage processes type enforcement mode
47 semanage permissive [-S store] [-N] -{a|d|l|n|D} type
48 Disable/Enable dontaudit rules in policy
50 semanage dontaudit [-S store] [-N] [ on | off ]
51 Execute multiple commands within a single transaction.
53 semanage [-S store] -i command-file
54
57 semanage is used to configure certain elements of SELinux policy with‐
58 out requiring modification to or recompilation from policy sources.
59 This includes the mapping from Linux usernames to SELinux user identi‐
60 ties (which controls the initial security context assigned to Linux
61 users when they login and bounds their authorized role set) as well as
62 security context mappings for various kinds of objects, such as network
63 ports, interfaces, and nodes (hosts) as well as the file context map‐
64 ping. See the EXAMPLES section below for some examples of common usage.
65 Note that the semanage login command deals with the mapping from Linux
66 usernames (logins) to SELinux user identities, while the semanage user
67 command deals with the mapping from SELinux user identities to autho‐
68 rized role sets. In most cases, only the former mapping needs to be
69 adjusted by the administrator; the latter is principally defined by the
70 base policy and usually does not require modification.
71
74 -a, --add
75 Add a OBJECT record NAME
76 -d, --delete
78 Delete a OBJECT record NAME
79 -D, --deleteall
81 Remove all OBJECTS local customizations
82 --disable
84 Disable a policy module, requires -m option
85 Currently modules only.
87 --enable
89 Enable a disabled policy module, requires -m option
90 Currently modules only.
92 -e, --equal
94 Substitute target path with sourcepath when generating default
95 label. This is used with fcontext. Requires source and target
96 path arguments. The context labeling for the target subtree is
97 made equivalent to that defined for the source.
98 -f, --ftype
100 File Type. This is used with fcontext. Requires a file type
101 as shown in the mode field by ls, e.g. use -d to match only
102 directories or -- to match only regular files.
103 -F, --file
105 Set multiple records from the input file. When used with the -l
106 --list, it will output the current settings to stdout in the
107 proper format.
108 Currently booleans only.
110 -h, --help
113 display this message
114 -l, --list
116 List the OBJECTS
117 -C, --locallist
119 List only locally defined settings, not base policy settings.
120 -E, --extract
122 Extract customizable commands
123 -L, --level
125 Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Sys‐
126 tems only)
127 -m, --modify
129 Modify a OBJECT record NAME
130 -M, --mask
132 Network Mask
133 -n, --noheading
135 Do not print heading when listing OBJECTS.
136 -N, --noreload
138 Do not reload policy after commit
139 -o, --output
141 Output current customizations as semanage commands
142 -p, --proto
144 Protocol for the specified port (tcp|udp) or internet protocol
145 version for the specified node (ipv4|ipv6).
146 -r, --range
148 MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for
149 SELinux login mapping defaults to the SELinux user record range.
150 SELinux Range for SELinux user defaults to s0-s0:c0.c1023.
151 -R, --roles
153 SELinux Roles. You must enclose multiple roles within quotes,
154 separate by spaces. Or specify -R multiple times.
155 -P, --prefix
157 SELinux Prefix. Prefix added to home_dir_t and home_t for
158 labeling users home directories.
159 -s, --seuser
161 SELinux user name
162 -S, --store
164 Select and alternate SELinux store to manage
165 -t, --type
167 SELinux Type for the object
168 -i, --input
170 Take a set of commands from a specified file and load them in a
171 single transaction.
172
175 SELinux user
176 List SELinux users
177 # semanage user -l
178 SELinux login
180 Change joe to login as staff_u
181 # semanage login -a -s staff_u joe
182 Change the group clerks to login as user_u
183 # semanage login -a -s user_u %clerks
184 File contexts
186 Add file-context for everything under /web
187 # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
188 # restorecon -R -v /web
189 Substitute /home1 with /home when setting file context
191 # semanage fcontext -a -e /home /home1
192 # restorecon -R -v /home1
193 For home directories under top level directory, for example /disk6/home,
195 execute the following commands.
196 # semanage fcontext -a -t home_root_t "/disk6"
197 # semanage fcontext -a -e /home /disk6/home
198 # restorecon -R -v /disk6
199 Port contexts
201 Allow Apache to listen on tcp port 81
202 # semanage port -a -t http_port_t -p tcp 81
203 Change apache to a permissive domain
205 # semanage permissive -a httpd_t
206 Turn off dontaudit rules
208 # semanage dontaudit off
209 Managing multiple machines
211 Multiple machines that need the same customizations.
212 Extract customizations off first machine, copy them
213 to second and import them.
214 # semanage -o /tmp/local.selinux
216 # scp /tmp/local.selinux secondmachine:/tmp
217 # ssh secondmachine
218 # semanage -i /tmp/local.selinux
219 If these customizations include file context, you need to apply the
221 context using restorecon.
222
226 This man page was written by Daniel Walsh <dwalsh@redhat.com>
227 and Russell Coker <rcoker@redhat.com>.
228 Examples by Thomas Bleher <ThomasBleher@gmx.de>.
229 20100223 semanage(8)