1semanage_selinux(8)         SELinux Policy semanage        semanage_selinux(8)
2
3
4

NAME

6       semanage_selinux - Security Enhanced Linux Policy for the semanage pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  semanage  processes  via  flexible
11       mandatory access control.
12
13       The  semanage  processes  execute with the semanage_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep semanage_t
20
21
22

ENTRYPOINTS

24       The semanage_t SELinux type can be entered via the semanage_exec_t file
25       type.
26
27       The default entrypoint paths for the semanage_t domain are the  follow‐
28       ing:
29
30       /usr/sbin/semanage,   /usr/sbin/semodule,   /usr/libexec/selinux/seman‐
31       age_migrate_store,  /usr/share/system-config-selinux/selinux_server.py,
32       /usr/share/system-config-selinux/system-config-selinux-dbus.py
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       semanage policy is very flexible allowing users to setup their semanage
42       processes in as secure a method as possible.
43
44       The following process types are defined for semanage:
45
46       semanage_t
47
48       Note: semanage permissive -a semanage_t can be used to make the process
49       type  semanage_t permissive. SELinux does not deny access to permissive
50       process types, but the AVC (SELinux denials) messages are still  gener‐
51       ated.
52
53

BOOLEANS

55       SELinux  policy is customizable based on least access required.  seman‐
56       age policy is extremely flexible and has several  booleans  that  allow
57       you  to manipulate the policy and run semanage with the tightest access
58       possible.
59
60
61
62       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
63       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
64       Enabled by default.
65
66       setsebool -P daemons_dontaudit_scheduling 1
67
68
69
70       If you want to deny user domains applications to map a memory region as
71       both  executable  and  writable,  this  is dangerous and the executable
72       should be reported in bugzilla, you must turn on the deny_execmem bool‐
73       ean. Disabled by default.
74
75       setsebool -P deny_execmem 1
76
77
78
79       If  you  want  to control the ability to mmap a low area of the address
80       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
81       the mmap_low_allowed boolean. Disabled by default.
82
83       setsebool -P mmap_low_allowed 1
84
85
86
87       If  you  want  to  allow  system  to run with NIS, you must turn on the
88       nis_enabled boolean. Disabled by default.
89
90       setsebool -P nis_enabled 1
91
92
93
94       If you want to disable kernel module loading, you must turn on the  se‐
95       cure_mode_insmod boolean. Disabled by default.
96
97       setsebool -P secure_mode_insmod 1
98
99
100
101       If  you  want to allow unconfined executables to make their heap memory
102       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
103       badly  coded  executable, but could indicate an attack. This executable
104       should be reported in bugzilla, you must turn  on  the  selinuxuser_ex‐
105       echeap boolean. Disabled by default.
106
107       setsebool -P selinuxuser_execheap 1
108
109
110
111       If  you  want  to allow unconfined executables to make their stack exe‐
112       cutable.  This should never, ever be necessary.  Probably  indicates  a
113       badly  coded  executable, but could indicate an attack. This executable
114       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
115       stack boolean. Enabled by default.
116
117       setsebool -P selinuxuser_execstack 1
118
119
120

MANAGED FILES

122       The  SELinux  process type semanage_t can manage files labeled with the
123       following file types.  The paths listed are the default paths for these
124       file types.  Note the processes UID still need to have DAC permissions.
125
126       file_type
127
128            all files on the system
129
130

FILE CONTEXTS

132       SELinux requires files to have an extended attribute to define the file
133       type.
134
135       You can see the context of a file using the -Z option to ls
136
137       Policy governs the access  confined  processes  have  to  these  files.
138       SELinux  semanage policy is very flexible allowing users to setup their
139       semanage processes in as secure a method as possible.
140
141       EQUIVALENCE DIRECTORIES
142
143
144       semanage policy stores data with multiple different file context  types
145       under  the  /var/lib/selinux directory.  If you would like to store the
146       data in a different directory you can use the semanage command to  cre‐
147       ate an equivalence mapping.  If you wanted to store this data under the
148       /srv directory you would execute the following command:
149
150       semanage fcontext -a -e /var/lib/selinux /srv/selinux
151       restorecon -R -v /srv/selinux
152
153       STANDARD FILE CONTEXT
154
155       SELinux defines the file context types for the semanage, if you  wanted
156       to  store files with these types in a different paths, you need to exe‐
157       cute the semanage command to specify alternate labeling  and  then  use
158       restorecon to put the labels on disk.
159
160       semanage fcontext -a -t semanage_store_t '/srv/semanage/content(/.*)?'
161       restorecon -R -v /srv/mysemanage_content
162
163       Note:  SELinux  often  uses  regular expressions to specify labels that
164       match multiple files.
165
166       The following file types are defined for semanage:
167
168
169
170       semanage_exec_t
171
172       - Set files with the semanage_exec_t type, if you want to transition an
173       executable to the semanage_t domain.
174
175
176       Paths:
177            /usr/sbin/semanage,  /usr/sbin/semodule, /usr/libexec/selinux/sem‐
178            anage_migrate_store,                     /usr/share/system-config-
179            selinux/selinux_server.py,   /usr/share/system-config-selinux/sys‐
180            tem-config-selinux-dbus.py
181
182
183       semanage_read_lock_t
184
185       - Set files with the semanage_read_lock_t type, if you  want  to  treat
186       the files as semanage read lock data, stored under the /var/lock direc‐
187       tory
188
189
190       Paths:
191            /etc/selinux/([^/]*/)?modules/semanage.read.LOCK,
192            /var/lib/selinux/[^/]+/semanage.read.LOCK
193
194
195       semanage_store_t
196
197       -  Set  files  with the semanage_store_t type, if you want to treat the
198       files as semanage store data.
199
200
201       Paths:
202            /etc/selinux/([^/]*/)?policy(/.*)?, /etc/selinux/(minimum|mls|tar‐
203            geted)/active(/.*)?,            /etc/selinux/([^/]*/)?modules/(ac‐
204            tive|tmp|previous)(/.*)?,                  /var/lib/selinux(/.*)?,
205            /etc/share/selinux/mls(/.*)?, /etc/share/selinux/targeted(/.*)?
206
207
208       semanage_tmp_t
209
210       - Set files with the semanage_tmp_t type, if you want to store semanage
211       temporary files in the /tmp directories.
212
213
214
215       semanage_trans_lock_t
216
217       - Set files with the semanage_trans_lock_t type, if you want  to  treat
218       the  files  as semanage trans lock data, stored under the /var/lock di‐
219       rectory
220
221
222       Paths:
223            /etc/selinux/([^/]*/)?modules/semanage.trans.LOCK,
224            /var/lib/selinux/[^/]+/semanage.trans.LOCK
225
226
227       Note:  File context can be temporarily modified with the chcon command.
228       If you want to permanently change the file context you need to use  the
229       semanage fcontext command.  This will modify the SELinux labeling data‐
230       base.  You will need to use restorecon to apply the labels.
231
232

COMMANDS

234       semanage fcontext can also be used to manipulate default  file  context
235       mappings.
236
237       semanage  permissive  can  also  be used to manipulate whether or not a
238       process type is permissive.
239
240       semanage module can also be used to enable/disable/install/remove  pol‐
241       icy modules.
242
243       semanage boolean can also be used to manipulate the booleans
244
245
246       system-config-selinux is a GUI tool available to customize SELinux pol‐
247       icy settings.
248
249

AUTHOR

251       This manual page was auto-generated using sepolicy manpage .
252
253

SEE ALSO

255       selinux(8), semanage(8), semanage(8), restorecon(8),  chcon(1),  sepol‐
256       icy(8), setsebool(8)
257
258
259
260semanage                           23-12-15                semanage_selinux(8)
Impressum