NAME¶
semanage - SELinux Policy Management tool
SYNOPSIS¶
Output local customizations
semanage [ -S store ] -o [ output_file | - ]
Input local customizations
semanage [ -S store ] -i [ input_file | - ]
Manage booleans. Booleans allow the administrator to modify the confinement of
processes based on his configuration.
semanage boolean [-S store] -{d|m|l|D} [-n] [--on|--off|-1|-0] -F boolean |
boolean_file
Manage SELinux confined users (Roles and levels for an SELinux user)
semanage user [-S store] -{a|d|m|l|D} [-LnPrR] selinux_name
Manage login mappings between linux users and SELinux confined users.
semanage login [-S store] -{a|d|m|l|D} [-nrs] login_name | %groupname
Manage policy modules.
semanage module [-S store] -{a|d|l} [-m [--enable | --disable] ]
module_name
Manage network port type definitions
semanage port [-S store] -{a|d|m|l|D} [-nrt] [-p proto] port | port_range
Manage network interface type definitions
semanage interface [-S store] -{a|d|m|l|D} [-nrt] interface_spec
Manage network node type definitions
semanage node [-S store] -{a|d|m|l|D} [-nrt] [ -p protocol ] [-M netmask]
address
Manage file context mapping definitions
semanage fcontext [-S store] -{a|d|m|l|D} [-fnrst] file_spec
semanage fcontext [-S store] -{a|d|m|l|D} [-n] -e replacement target
Manage processes type enforcement mode
semanage permissive [-S store] -{a|d|l|D} [-n] type
Disable/Enable dontaudit rules in policy
semanage dontaudit [-S store] [ on | off ]
Execute multiple commands within a single transaction.
semanage [-S store] -i command-file
DESCRIPTION¶
semanage is used to configure certain elements of SELinux policy without
requiring modification to or recompilation from policy sources. This includes
the mapping from Linux usernames to SELinux user identities (which controls
the initial security context assigned to Linux users when they login and
bounds their authorized role set) as well as security context mappings for
various kinds of objects, such as network ports, interfaces, and nodes (hosts)
as well as the file context mapping. See the EXAMPLES section below for some
examples of common usage. Note that the semanage login command deals with the
mapping from Linux usernames (logins) to SELinux user identities, while the
semanage user command deals with the mapping from SELinux user identities to
authorized role sets. In most cases, only the former mapping needs to be
adjusted by the administrator; the latter is principally defined by the base
policy and usually does not require modification.
OPTIONS¶
- -a, --add
- Add a OBJECT record NAME
- -d, --delete
- Delete a OBJECT record NAME
- -D, --deleteall
- Remove all OBJECTS local customizations
- --disable
- Disable a policy module, requires -m option
Currently modules only.
- --enable
- Enable a disabled policy module, requires -m option
Currently modules only.
- -e, --equal
- Substitute target path with sourcepath when generating
default label. This is used with fcontext. Requires source and target path
arguments. The context labeling for the target subtree is made equivalent
to that defined for the source.
- -f, --ftype
- File Type. This is used with fcontext. Requires a file type
as shown in the mode field by ls, e.g. use -d to match only directories or
-- to match only regular files.
- -F, --file
- Set multiple records from the input file. When used with
the -l --list, it will output the current settings to stdout in the proper
format.
Currently booleans only.
- -h, --help
- display this message
- -l, --list
- List the OBJECTS
- -C, --locallist
- List only locally defined settings, not base policy
settings.
- -L, --level
- Default SELinux Level for SELinux use, s0 Default. (MLS/MCS
Systems only)
- -m, --modify
- Modify a OBJECT record NAME
- -M, --mask
- Network Mask
- -n, --noheading
- Do not print heading when listing OBJECTS.
- -p, --proto
- Protocol for the specified port (tcp|udp) or internet
protocol version for the specified node (ipv4|ipv6).
- -r, --range
- MLS/MCS Security Range (MLS/MCS Systems only)
- -R, --role
- SELinux Roles. You must enclose multiple roles within
quotes, separate by spaces. Or specify -R multiple times.
- -P, --prefix
- SELinux Prefix. Prefix added to home_dir_t and home_t for
labeling users home directories.
- -s, --seuser
- SELinux user name
- -S, --store
- Select and alternate SELinux store to manage
- -t, --type
- SELinux Type for the object
- -i, --input
- Take a set of commands from a specified file and load them
in a single transaction.
- -o, --output
- Output all local customizations into a file. This file than
can be used with the semanage -i command to customize other machines to
match the local machine.
EXAMPLE¶
SELinux user
List SELinux users
# semanage user -l
SELinux login
Change joe to login as staff_u
# semanage login -a -s staff_u joe
Change the group clerks to login as user_u
# semanage login -a -s user_u %clerks
File contexts remember to run restorecon after you set the file context
Add file-context for everything under /web
# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# restorecon -R -v /web
Substitute /home1 with /home when setting file context
# semanage fcontext -a -e /home /home1
# restorecon -R -v /home1
For home directories under top level directory, for example /disk6/home,
execute the following commands.
# semanage fcontext -a -t home_root_t "/disk6"
# semanage fcontext -a -e /home /disk6/home
# restorecon -R -v /disk6
Port contexts
Allow Apache to listen on tcp port 81
# semanage port -a -t http_port_t -p tcp 81
Change apache to a permissive domain
# semanage permissive -a httpd_t
Turn off dontaudit rules
# semanage dontaudit off
Managing multiple machines
Multiple machines that need the same customizations.
Extract customizations off first machine, copy them
to second and import them.
# semanage -o /tmp/local.selinux
# scp /tmp/local.selinux secondmachine:/tmp
# ssh secondmachine
# semanage -i /tmp/local.selinux
If these customizations include file context, you need to apply the
context using restorecon.
AUTHOR¶
This man page was written by Daniel Walsh <dwalsh@redhat.com>
and Russell Coker <rcoker@redhat.com>.
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
