semanage(8)semanage(8)NAMEsemanage - SELinux Policy Management tool
SYNOPSISsemanage {boolean|login|user|port|interface|node|fcontext} -{l|D} [-n]
[-S store]
semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
semanage login -{a|d|m} [-sr] login_name | %groupname
semanage user -{a|d|m} [-LrRP] selinux_name
semanage port -{a|d|m} [-tr] [-p proto] port | port_range
semanage interface -{a|d|m} [-tr] interface_spec
semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address
semanage fcontext -{a|d|m} [-frst] file_spec
semanage fcontext -{a|d|m} -e src_path tgt_path
semanage permissive -{a|d} type
semanage dontaudit [ on | off ]
DESCRIPTIONsemanage is used to configure certain elements of SELinux policy with‐
out requiring modification to or recompilation from policy sources.
This includes the mapping from Linux usernames to SELinux user identi‐
ties (which controls the initial security context assigned to Linux
users when they login and bounds their authorized role set) as well as
security context mappings for various kinds of objects, such as network
ports, interfaces, and nodes (hosts) as well as the file context map‐
ping. See the EXAMPLES section below for some examples of common usage.
Note that the semanage login command deals with the mapping from Linux
usernames (logins) to SELinux user identities, while the semanage user
command deals with the mapping from SELinux user identities to autho‐
rized role sets. In most cases, only the former mapping needs to be
adjusted by the administrator; the latter is principally defined by the
base policy and usually does not require modification.
OPTIONS-a, --add
Add a OBJECT record NAME
-d, --delete
Delete a OBJECT record NAME
-D, --deleteall
Remove all OBJECTS local customizations
-e, --equal
Substitute src path for targetpath when labeling. This is used
with fcontext. Requires source and destination path arguments.
The context labeling for the destination subtree is made equiva‐
lent to that defined for the source.
-f, --ftype
File Type. This is used with fcontext. Requires a file type
as shown in the mode field by ls, e.g. use -d to match only
directories or -- to match only regular files.
-F, --file
Set multiple records from the input file. When used with the -l
--list, it will output the current settings to stdout in the
proper format.
Currently booleans only.
-h, --help
display this message
-l, --list
List the OBJECTS
-C, --locallist
List only locally defined settings, not base policy settings.
-L, --level
Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Sys‐
tems only)
-m, --modify
Modify a OBJECT record NAME
-n, --noheading
Do not print heading when listing OBJECTS.
-p, --proto
Protocol for the specified port (tcp|udp) or internet protocol
version for the specified node (ipv4|ipv6).
-r, --range
MLS/MCS Security Range (MLS/MCS Systems only)
-R, --role
SELinux Roles. You must enclose multiple roles within quotes,
separate by spaces. Or specify -R multiple times.
-P, --prefix
SELinux Prefix. Prefix added to home_dir_t and home_t for
labeling users home directories.
-s, --seuser
SELinux user name
-S, --store
Select and alternate SELinux store to manage
-t, --type
SELinux Type for the object
EXAMPLE
# View SELinux user mappings
$ semanage user -l
# Allow joe to login as staff_u
$ semanage login -a -s staff_u joe
# Allow the group clerks to login as user_u
$ semanage login -a -s user_u %clerks
# Add file-context for everything under /web (used by restorecon)
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# Make /home1 labeling equivalent to /home (used by restorecon)
$ semanage fcontext -a -e /home1 /home
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
# Change apache to a permissive domain
$ semanage permissive -a httpd_t
# Turn off dontaudit rules
$ semanage dontaudit off
AUTHOR
This man page was written by Daniel Walsh <dwalsh@redhat.com> and Rus‐
sell Coker <rcoker@redhat.com>. Examples by Thomas Bleher <ThomasBle‐
her@gmx.de>.
2005111103 semanage(8)
