1semanage(8)                                                        semanage(8)
2
3
4

NAME

6       semanage - SELinux Policy Management tool
7
8

SYNOPSIS

10       semanage {login|user|port|interface|fcontext|translation} -l [-n]
11       semanage login -{a|d|m} [-sr] login_name
12       semanage user -{a|d|m} [-LrRP] selinux_name
13       semanage port -{a|d|m} [-tr] [-p protocol] port | port_range
14       semanage interface -{a|d|m} [-tr] interface_spec
15       semanage fcontext -{a|d|m} [-frst] file_spec
16       semanage translation -{a|d|m} [-T] level
17

DESCRIPTION

19       semanage  is used to configure certain elements of SELinux policy with‐
20       out requiring modification to or  recompilation  from  policy  sources.
21       This  includes the mapping from Linux usernames to SELinux user identi‐
22       ties (which controls the initial security  context  assigned  to  Linux
23       users  when they login and bounds their authorized role set) as well as
24       security context mappings for various kinds of objects, such as network
25       ports,  interfaces,  and nodes (hosts) as well as the file context map‐
26       ping. See the EXAMPLES section below for some examples of common usage.
27       Note  that the semanage login command deals with the mapping from Linux
28       usernames (logins) to SELinux user identities, while the semanage  user
29       command  deals  with the mapping from SELinux user identities to autho‐
30       rized role sets.  In most cases, only the former mapping  needs  to  be
31       adjusted by the administrator; the latter is principally defined by the
32       base policy and usually does not require modification.
33
34

OPTIONS

36       -a, --add
37              Add a OBJECT record NAME
38
39       -d, --delete
40              Delete a OBJECT record NAME
41
42       -f, --ftype
43              File Type.   This is used with fcontext.  Requires a  file  type
44              as  shown  in  the  mode  field by ls, e.g. use -d to match only
45              directories or -- to match only regular files.
46
47       -h, --help
48              display this message
49
50       -l, --list
51              List the OBJECTS
52
53       -L, --level
54              Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Sys‐
55              tems only)
56
57       -m, --modify
58              Modify a OBJECT record NAME
59
60       -n, --noheading
61              Do not print heading when listing OBJECTS.
62
63       -p, --proto
64              Protocol for the specified port (tcp|udp).
65
66       -r, --range
67              MLS/MCS Security Range (MLS/MCS Systems only)
68
69       -R, --role
70              SELinux  Roles.   You must enclose multiple roles within quotes,
71              separate by spaces. Or specify -R multiple times.
72
73       -P, --prefix
74              SELinux Prefix.  Prefix  added  to  home_dir_t  and  home_t  for
75              labeling users home directories.
76
77       -s, --seuser
78              SELinux user name
79
80       -t, --type
81              SELinux Type for the object
82
83       -T, --trans
84              SELinux Translation
85
86

EXAMPLE

88       # View SELinux user mappings
89       $ semanage user -l
90       # Allow joe to login as staff_u
91       $ semanage login -a -s staff_u joe
92       # Add file-context for everything under /web (used by restorecon)
93       $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
94       # Allow Apache to listen on port 81
95       $ semanage port -a -t http_port_t -p tcp 81
96
97

AUTHOR

99       This  man page was written by Daniel Walsh <dwalsh@redhat.com> and Rus‐
100       sell Coker <rcoker@redhat.com>.  Examples by Thomas Bleher  <ThomasBle‐
101       her@gmx.de>.
102
103
104
105
106                                  2005111103                       semanage(8)
Impressum