1semanage.conf(5) Linux System Administration semanage.conf(5)
2
6 semanage.conf - global configuration file for the SELinux Management
7 library
8
10 The semanage.conf file is usually located under the directory
11 /etc/selinux and it is used for run-time configuration of the behavior
12 of the SELinux Management library.
13 Each line should contain a configuration parameter followed by the
16 equal sign ("=") and then followed by the configuration value for that
17 parameter. Anything after the "#" symbol is ignored similarly to empty
18 lines.
19 The following parameters are allowed:
22 module-store
25 Specify how the SELinux Management library should inter‐
26 act with the SELinux policy store. When set to "direct",
27 the SELinux Management library writes to the SELinux pol‐
28 icy module store directly (this is the default setting).
29 Otherwise a socket path or a server name can be used for
30 the argument. If the argument begins with "/" (as in
31 "/foo/bar"), it represents the path to a named socket
32 that should be used to connect the policy management
33 server. If the argument does not begin with a "/" (as in
34 "example.com:4242"), it should be interpreted as the name
35 of a remote policy management server to be used through a
36 TCP connection (default port is 4242 unless a different
37 one is specified after the server name using the colon to
38 separate the two fields).
39 root Specify an alternative root path to use for the store.
42 The default is "/"
43 store-root
46 Specify an alternative store_root path to use. The de‐
47 fault is "/var/lib/selinux"
48 compiler-directory
51 Specify an alternative directory that contains HLL to CIL
52 compilers. The default value is
53 "/usr/libexec/selinux/hll".
54 ignore-module-cache
57 Whether or not to ignore the cache of CIL modules com‐
58 piled from HLL. It can be set to either "true" or "false"
59 and is set to "false" by default. If the cache is ig‐
60 nored, then all CIL modules are recompiled from their HLL
61 modules.
62 policy-version
65 When generating the policy, by default semanage will set
66 the policy version to POLICYDB_VERSION_MAX, as defined in
67 <sepol/policydb/policydb.h>. Change this setting if a
68 different version needs to be set for the policy.
69 target-platform
72 The target platform to generate policies for. Valid val‐
73 ues are "selinux" and "xen", and is set to "selinux" by
74 default.
75 expand-check
78 Whether or not to check "neverallow" rules when executing
79 all semanage command. It can be set to either "0" (dis‐
80 abled) or "1" (enabled) and by default it is enabled.
81 There might be a large penalty in execution time if this
82 option is enabled.
83 file-mode
86 By default the permission mode for the run-time policy
87 files is set to 0644.
88 save-previous
91 It controls whether the previous module directory is
92 saved after a successful commit to the policy store and
93 it can be set to either "true" or "false". By default it
94 is set to "false" (the previous version is deleted).
95 save-linked
98 It controls whether the previously linked module is saved
99 (with name "base.linked") after a successful commit to
100 the policy store. It can be set to either "true" or
101 "false" and by default it is set to "false" (the previous
102 module is deleted).
103 ignoredirs
106 List, separated by ";", of directories to ignore when
107 setting up users homedirs. Some distributions use this
108 to stop labeling /root as a homedir.
109 usepasswd
112 Whether or not to enable the use getpwent() to obtain a
113 list of home directories to label. It can be set to ei‐
114 ther "true" or "false". By default it is set to "true".
115 disable-genhomedircon
118 It controls whether or not the genhomedircon function is
119 executed when using the semanage command and it can be
120 set to either "false" or "true". By default the genhome‐
121 dircon functionality is enabled (equivalent to this op‐
122 tion set to "false").
123 handle-unknown
126 This option overrides the kernel behavior for handling
127 permissions defined in the kernel but missing from the
128 actual policy. It can be set to "deny", "reject" or "al‐
129 low". By default the setting from the policy is taken.
130 bzip-blocksize
133 It should be in the range 0-9. A value of 0 means no com‐
134 pression. By default the bzip block size is set to 9 (ac‐
135 tual block size value is obtained after multiplication by
136 100000).
137 bzip-small
140 When set to "true", the bzip algorithm shall try to re‐
141 duce its system memory usage. It can be set to either
142 "true" or "false" and by default it is set to "false".
143 remove-hll
146 When set to "true", HLL files will be removed after com‐
147 pilation into CIL. In order to delete HLL files already
148 compiled into CIL, modules will need to be recompiled
149 with the ignore-module-cache option set to 'true' or us‐
150 ing the ignore-module-cache option with semodule. The re‐
151 move-hll option can be set to either "true" or "false"
152 and by default it is set to "false".
153 Please note that since this option deletes all HLL files,
155 an updated HLL compiler will not be able to recompile the
156 original HLL file into CIL. In order to compile the
157 original HLL file into CIL, the same HLL file will need
158 to be reinstalled.
159 optimize-policy
162 When set to "true", the kernel policy will be optimized
163 upon rebuilds. It can be set to either "true" or "false"
164 and by default it is set to "false".
165
168 semanage(8)
169
171 This manual page was written by Guido Trentalancia <guido@trentalan‐
172 cia.com>.
173 The SELinux management library was written by Tresys Technology LLC and
175 Red Hat Inc.
176semanage.conf September 2011 semanage.conf(5)