semanage(8)

1semanage(8)                                                        semanage(8)
2
3
4

NAME

6       semanage - SELinux Policy Management tool
7
8

SYNOPSIS

10       Output local customizations
11       semanage [ -S store ] -o [ output_file | - ]
12
13       Input local customizations
14       semanage [ -S store ] -i [ input_file | - ]
15
16       Manage  booleans.   Booleans allow the administrator to modify the con‐
17       finement of processes based on his configuration.
18       semanage boolean [-S store] -{d|m|l|n|D} -[-on|-off|1|0] -F  boolean  |
19       boolean_file
20
21       Manage SELinux confined users (Roles and levels for an SELinux user)
22       semanage user [-S store] -{a|d|m|l|n|D} [-LrRP] selinux_name
23
24       Manage login mappings between linux users and SELinux confined users.
25       semanage login [-S store] -{a|d|m|l|n|D} [-sr] login_name | %groupname
26
27       Manage policy modules.
28       semanage  module  [-S store] -{a|d|l} [-m [--enable | --disable] ] mod‐
29       ule_name
30
31       Manage network port type definitions
32       semanage port  [-S  store]  -{a|d|m|l|n|D}  [-tr]  [-p  proto]  port  |
33       port_range
34
35       Manage network interface type definitions
36       semanage interface [-S store] -{a|d|m|l|n|D} [-tr] interface_spec
37
38       Manage network node type definitions
39       semanage  node [-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M net‐
40       mask] address
41
42       Manage file context mapping definitions
43       semanage fcontext [-S store] -{a|d|m|l|n|D} [-frst] file_spec
44       semanage fcontext [-S store] -{a|d|m|l|n|D} -e replacement target
45
46       Manage processes type enforcement mode
47       semanage permissive [-S store] -{a|d|l|n|D} type
48
49       Disable/Enable dontaudit rules in policy
50       semanage dontaudit [-S store] [ on | off ]
51
52       Execute multiple commands within a single transaction.
53       semanage [-S store] -i command-file
54
55

DESCRIPTION

57       semanage is used to configure certain elements of SELinux policy  with‐
58       out  requiring  modification  to  or recompilation from policy sources.
59       This includes the mapping from Linux usernames to SELinux user  identi‐
60       ties  (which  controls  the  initial security context assigned to Linux
61       users when they login and bounds their authorized role set) as well  as
62       security context mappings for various kinds of objects, such as network
63       ports, interfaces, and nodes (hosts) as well as the file  context  map‐
64       ping. See the EXAMPLES section below for some examples of common usage.
65       Note that the semanage login command deals with the mapping from  Linux
66       usernames  (logins) to SELinux user identities, while the semanage user
67       command deals with the mapping from SELinux user identities  to  autho‐
68       rized  role  sets.   In most cases, only the former mapping needs to be
69       adjusted by the administrator; the latter is principally defined by the
70       base policy and usually does not require modification.
71
72

OPTIONS

74       -a, --add
75              Add a OBJECT record NAME
76
77       -d, --delete
78              Delete a OBJECT record NAME
79
80       -D, --deleteall
81              Remove all OBJECTS local customizations
82
83       --disable
84              Disable a policy module, requires -m option
85
86              Currently modules only.
87
88       --enable
89              Enable a disabled policy module, requires -m option
90
91              Currently modules only.
92
93       -e, --equal
94              Substitute  target  path with sourcepath when generating default
95              label.  This is used with fcontext. Requires source  and  target
96              path  arguments.  The context labeling for the target subtree is
97              made equivalent to that defined for the source.
98
99       -f, --ftype
100              File Type.   This is used with fcontext.  Requires a  file  type
101              as  shown  in  the  mode  field by ls, e.g. use -d to match only
102              directories or -- to match only regular files.
103
104       -F, --file
105              Set multiple records from the input file.  When used with the -l
106              --list,  it  will  output  the current settings to stdout in the
107              proper format.
108
109              Currently booleans only.
110
111
112       -h, --help
113              display this message
114
115       -l, --list
116              List the OBJECTS
117
118       -C, --locallist
119              List only locally defined settings, not base policy settings.
120
121       -L, --level
122              Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Sys‐
123              tems only)
124
125       -m, --modify
126              Modify a OBJECT record NAME
127
128       -M, --mask
129              Network Mask
130
131       -n, --noheading
132              Do not print heading when listing OBJECTS.
133
134       -p, --proto
135              Protocol  for  the specified port (tcp|udp) or internet protocol
136              version for the specified node (ipv4|ipv6).
137
138       -r, --range
139              MLS/MCS Security Range (MLS/MCS Systems only)
140
141       -R, --role
142              SELinux Roles.  You must enclose multiple roles  within  quotes,
143              separate by spaces. Or specify -R multiple times.
144
145       -P, --prefix
146              SELinux  Prefix.   Prefix  added  to  home_dir_t  and home_t for
147              labeling users home directories.
148
149       -s, --seuser
150              SELinux user name
151
152       -S, --store
153              Select and alternate SELinux store to manage
154
155       -t, --type
156              SELinux Type for the object
157
158       -i, --input
159              Take a set of commands from a specified file and load them in  a
160              single transaction.
161
162

EXAMPLE

164       SELinux user
165       List SELinux users
166       # semanage user -l
167
168       SELinux login
169       Change joe to login as staff_u
170       # semanage login -a -s staff_u joe
171       Change the group clerks to login as user_u
172       # semanage login -a -s user_u %clerks
173
174       File contexts
175       Add file-context for everything under /web
176       # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
177       # restorecon -R -v /web
178
179       Substitute /home1 with /home when setting file context
180       # semanage fcontext -a -e /home /home1
181       # restorecon -R -v /home1
182
183       For home directories under top level directory, for example /disk6/home,
184       execute the following commands.
185       # semanage fcontext -a -t home_root_t "/disk6"
186       # semanage fcontext -a -e /home /disk6/home
187       # restorecon -R -v /disk6
188
189       Port contexts
190       Allow Apache to listen on tcp port 81
191       # semanage port -a -t http_port_t -p tcp 81
192
193       Change apache to a permissive domain
194       # semanage permissive -a httpd_t
195
196       Turn off dontaudit rules
197       # semanage dontaudit off
198
199       Managing multiple machines
200       Multiple machines that need the same customizations.
201       Extract customizations off first machine, copy them
202       to second and import them.
203
204       # semanage -o /tmp/local.selinux
205       # scp /tmp/local.selinux secondmachine:/tmp
206       # ssh secondmachine
207       # semanage -i /tmp/local.selinux
208
209       If these customizations include file context, you need to apply the
210       context using restorecon.
211
212
213

AUTHOR

215       This man page was written by Daniel Walsh <dwalsh@redhat.com>
216       and Russell Coker <rcoker@redhat.com>.
217       Examples by Thomas Bleher <ThomasBleher@gmx.de>.
218
219
220
221                                   20100223                        semanage(8)