LinuxCommandLibrary

semanage

SELinux Policy Management tool

TLDR

Output local customizations

$ semanage -S [store] -o [path/to/output_file]
copy


Take a set of commands from a specified file and load them in a single transaction
$ semanage -S [store] -i [path/to/input_file]
copy


Manage booleans. Booleans allow the administrator to modify the confinement of processes based on the current configuration
$ semanage boolean -S [store] [--delete|--modify|--list|--noheading|--deleteall] [-on|-off] -F [boolean|boolean_file]
copy


Manage policy modules
$ semanage module -S [store] [--add|--delete|--list|--modify] [--enable|--disable] [module_name]
copy


Disable/Enable dontaudit rules in policy
$ semanage dontaudit -S [store] [on|off]
copy

Name



semanage - SELinux Policy Management tool

Synopsis



Output local customizations
semanage [ -S store ] -o [ output_file | - ]

Input local customizations
semanage [ -S store ] -i [ input_file | - ]

Manage booleans. Booleans allow the administrator to modify the confinement of processes based on his configuration.
semanage boolean [-S store] -{d|m|l|n|D} -[-on|-off|1|0] -F boolean | boolean_file

Manage SELinux confined users (Roles and levels for an SELinux user)
semanage user [-S store] -{a|d|m|l|n|D} [-LrRP] selinux_name

Manage login mappings between linux users and SELinux confined users.
semanage login [-S store] -{a|d|m|l|n|D} [-sr] login_name | %groupname

Manage policy modules.
semanage module [-S store] -{a|d|l} [-m [--enable | --disable] ] module_name

Manage network port type definitions
semanage port [-S store] -{a|d|m|l|n|D} [-tr] [-p proto] port | port_range

Manage network interface type definitions
semanage interface [-S store] -{a|d|m|l|n|D} [-tr] interface_spec

Manage network node type definitions
semanage node [-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address

Manage file context mapping definitions
semanage fcontext [-S store] -{a|d|m|l|n|D} [-frst] file_spec
semanage fcontext [-S store] -{a|d|m|l|n|D} -e replacement target

Manage processes type enforcement mode
semanage permissive [-S store] -{a|d|l|n|D} type

Disable/Enable dontaudit rules in policy
semanage dontaudit [-S store] [ on | off ]

Execute multiple commands within a single transaction.
semanage [-S store] -i command-file

Description



semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. This includes the mapping from Linux usernames to SELinux user identities (which controls the initial security context assigned to Linux users when they login and bounds their authorized role set) as well as security context mappings for various kinds of objects, such as network ports, interfaces, and nodes (hosts) as well as the file context mapping. See the EXAMPLES section below for some examples of common usage. Note that the semanage login command deals with the mapping from Linux usernames (logins) to SELinux user identities, while the semanage user command deals with the mapping from SELinux user identities to authorized role sets. In most cases, only the former mapping needs to be adjusted by the administrator; the latter is principally defined by the base policy and usually does not require modification.

Options



-a, --add Add a OBJECT record NAME-d, --deleteDelete a OBJECT record NAME-D, --deleteallRemove all OBJECTS local customizations--disableDisable a policy module, requires -m option

Currently modules only.

--enableEnable a disabled policy module, requires -m option

Currently modules only.

-e, --equalSubstitute target path with sourcepath when generating default label. This is used with fcontext. Requires source and target path arguments. The context labeling for the target subtree is made equivalent to that defined for the source.-f, --ftypeFile Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.-F, --fileSet multiple records from the input file. When used with the -l --list, it will output the current settings to stdout in the proper format.

Currently booleans only.

-h, --helpdisplay this message-l, --listList the OBJECTS-C, --locallistList only locally defined settings, not base policy settings.-E, --extractExtract customizable commands-L, --levelDefault SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only)-m, --modifyModify a OBJECT record NAME-M, --maskNetwork Mask-n, --noheadingDo not print heading when listing OBJECTS. -o, --output Output current customizations as semanage commands-p, --protoProtocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).-r, --rangeMLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0-s0:c0.c1023.-R, --roleSELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify -R multiple times.-P, --prefixSELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.-s, --seuserSELinux user name-S, --storeSelect and alternate SELinux store to manage-t, --typeSELinux Type for the object-i, --inputTake a set of commands from a specified file and load them in a single transaction.

Example

SELinux userList SELinux users # SELinux loginChange joe to login as staff_u # File contextsAdd file-context for everything under /web # Port contextsAllow Apache to listen on tcp port 81 # Change apache to a permissive domain# Turn off dontaudit rules# Managing multiple machinesMultiple machines that need the same customizations. Extract customizations off first machine, copy them to second and import them. #

Author



This man page was written by Daniel Walsh <dwalsh@redhat.com>
and Russell Coker <rcoker@redhat.com>.
Examples by Thomas Bleher <ThomasBleher@gmx.de>.

Referenced By

abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_selinux(8), accountsd_selinux(8), acct_selinux(8), ada_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_selinux(8), afs_vlserver_selinux(8), aiccu_selinux(8), aide_selinux(8), aisexec_selinux(8), alsa_selinux(8), amanda_recover_selinux(8), amanda_selinux(8), amavis_selinux(8), amtu_selinux(8), apcupsd_selinux(8), apm_selinux(8), apmd_selinux(8), arpwatch_selinux(8), asterisk_selinux(8), audisp_remote_selinux(8), audisp_selinux(8), auditctl_selinux(8), auditd_selinux(8), automount_selinux(8), avahi_selinux(8), awstats_selinux(8), bcfg2_selinux(8), bitlbee_selinux(8), bluetooth_helper_selinux(8), bluetooth_selinux(8), boinc_selinux(8), bootloader_selinux(8), brctl_selinux(8), cachefilesd_selinux(8), calamaris_selinux(8), canna_selinux(8), cardmgr_selinux(8), ccs_selinux(8), cdcc_selinux(8), cdrecord_selinux(8), certmaster_selinux(8), certmonger_selinux(8), certmonger_unconfined_selinux(8), certwatch_selinux(8), cfengine_execd_selinux(8), cfengine_monitord_selinux(8), cfengine_selinux(8), cfengine_serverd_selinux(8), cgclear_selinux(8), cgconfig_selinux(8), cgred_selinux(8), chcat(8), checkpc_selinux(8), checkpolicy_selinux(8), chfn_selinux(8), chkpwd_selinux(8), chrome_sandbox_nacl_selinux(8), chrome_sandbox_selinux(8), chrome_selinux(8), chronyd_selinux(8), ciped_selinux(8), clamd_selinux(8), clamscan_selinux(8), clogd_selinux(8), clvmd_selinux(8), cmirrord_selinux(8), cobblerd_selinux(8), comsat_selinux(8), condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8), consolekit_selinux(8), consoletype_selinux(8), corosync_selinux(8), courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8), cpucontrol_selinux(8), cpufreqselector_selinux(8), cpuspeed_selinux(8), crack_selinux(8), crond_selinux(8), crontab_selinux(8), ctdbd_selinux(8), cups_pdf_selinux(8), cups_selinux(8), cupsd_config_selinux(8), cupsd_lpd_selinux(8), cupsd_selinux(8), cvs_selinux(8), cyphesis_selinux(8), cyrus_selinux(8), dbskkd_selinux(8), dcc_client_selinux(8), dcc_dbclean_selinux(8), dcc_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8), dcerpcd_selinux(8), deltacloudd_selinux(8), denyhosts_selinux(8), depmod_selinux(8), devicekit_disk_selinux(8), devicekit_power_selinux(8), devicekit_selinux(8), dhcpc_selinux(8), dhcpd_selinux(8), dictd_selinux(8), dirsrv_selinux(8), dirsrv_snmp_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_unconfined_script_selinux(8), dkim_milter_selinux(8), dkim_selinux(8), dlm_controld_selinux(8), dlm_selinux(8), dmesg_selinux(8), dmidecode_selinux(8), dnsmasq_selinux(8), dovecot_auth_selinux(8), dovecot_deliver_selinux(8), dovecot_selinux(8), drbd_selinux(8), dspam_selinux(8), entropyd_selinux(8), ethereal_selinux(8), eventlogd_selinux(8), evtchnd_selinux(8), exim_selinux(8), fail2ban_selinux(8), fcoemon_selinux(8), fenced_selinux(8), fetchmail_selinux(8), fingerd_selinux(8), firewallgui_selinux(8), firstboot_selinux(8), foghorn_selinux(8), fprintd_selinux(8), freshclam_selinux(8), fsadm_selinux(8), fsdaemon_selinux(8), ftpd_selinux(8), ftpdctl_selinux(8), games_selinux(8), gconfd_selinux(8), gconfdefaultsm_selinux(8), getty_selinux(8), gfs_controld_selinux(8), gfs_selinux(8), git_shell_selinux(8), gitosis_selinux(8), glance_api_selinux(8), glance_registry_selinux(8), glusterd_selinux(8), gnomeclock_selinux(8), gnomesystemmm_selinux(8), gpg_agent_selinux(8), gpg_helper_selinux(8), gpg_selinux(8), gpm_selinux(8), gpsd_selinux(8), greylist_milter_selinux(8), greylist_selinux(8), groupadd_selinux(8), groupd_selinux(8), gssd_selinux(8), guest_selinux(8), hald_acl_selinux(8), hald_dccm_selinux(8), hald_keymap_selinux(8), hald_mac_selinux(8), hald_selinux(8), hald_sonypic_selinux(8), hddtemp_selinux(8), hostname_selinux(8), hotplug_selinux(8), howl_selinux(8), hplip_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_mediawiki_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_unconfined_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), hwclock_selinux(8), iceauth_selinux(8), icecast_selinux(8), ifconfig_selinux(8), inetd_child_selinux(8), inetd_selinux(8), init_selinux(8), initrc_selinux(8), innd_selinux(8), insmod_selinux(8), ipsec_mgmt_selinux(8), ipsec_selinux(8), iptables_selinux(8), irc_selinux(8), irqbalance_selinux(8), irssi_selinux(8), iscsid_selinux(8), iwhd_selinux(8), jabberd_router_selinux(8), jabberd_selinux(8), java_selinux(8), kadmind_selinux(8), kdump_selinux(8), kdumpgui_selinux(8), kerneloops_selinux(8), keystone_selinux(8), kismet_selinux(8), klogd_selinux(8), kpropd_selinux(8), krb5kdc_selinux(8), ksmtuned_selinux(8), ktalkd_selinux(8), kudzu_selinux(8), l2tpd_selinux(8), ldconfig_selinux(8), lircd_selinux(8), livecd_selinux(8), lldpad_selinux(8), load_policy_selinux(8), load_selinux(8), loadkeys_selinux(8), locate_selinux(8), lockdev_selinux(8), logadm_selinux(8), logrotate_selinux(8), logwatch_selinux(8), lpd_selinux(8), lpr_selinux(8), lsassd_selinux(8), lvm_selinux(8), lwiod_selinux(8), lwregd_selinux(8), lwsmd_selinux(8), mailman_cgi_selinux(8), mailman_mail_selinux(8), mailman_queue_selinux(8), mailman_selinux(8), matahari_hostd_selinux(8), matahari_netd_selinux(8), matahari_rpcd_selinux(8), matahari_selinux(8), matahari_serviced_selinux(8), matahari_sysconfigd_selinux(8), mcelog_selinux(8), mdadm_selinux(8), memcached_selinux(8), mencoder_selinux(8), modemmanager_selinux(8), mongod_selinux(8), mono_selinux(8), mount_selinux(8), mozilla_plugin_config_selinux(8), mozilla_plugin_selinux(8), mozilla_selinux(8), mpd_selinux(8), mplayer_selinux(8), mrtg_selinux(8), munin_disk_plugin_selinux(8), munin_mail_plugin_selinux(8), munin_selinux(8), munin_selinux_plugin_selinux(8), munin_services_plugin_selinux(8), munin_system_plugin_selinux(8), munin_unconfined_plugin_selinux(8), mysqld_safe_selinux(8), mysqld_selinux(8), mysqlmanagerd_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8), named_selinux(8), namespace_init_selinux(8), namespace_selinux(8), ncftool_selinux(8), ndc_selinux(8), netlabel_mgmt_selinux(8), netlabel_selinux(8), netlogond_selinux(8), netutils_selinux(8), networkmanager_selinux(8), newrole_selinux(8), nfsd_selinux(8), nmbd_selinux(8), nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8), nrpe_selinux(8), nscd_selinux(8), nslcd_selinux(8), nsplugin_config_selinux(8), nsplugin_selinux(8), ntop_selinux(8), ntpd_selinux(8), numad_selinux(8), nut_selinux(8), nut_upsd_selinux(8), nut_upsdrvctl_selinux(8), nut_upsmon_selinux(8), nx_selinux(8), nx_server_selinux(8), oddjob_mkhomedir_selinux(8), oddjob_selinux(8), openct_selinux(8), openoffice_selinux(8), openshift_cgroup_read_selinux(8), openshift_initrc_selinux(8), openvpn_selinux(8), openvswitch_ovsdb_server_selinux(8), openvswitch_ovsv_switchd_selinux(8), pacemaker_selinux(8), pads_selinux(8), pam_console_selinux(8), passenger_selinux(8), passwd_selinux(8), pcscd_selinux(8), pegasus_selinux(8), ping_selinux(8), pingd_selinux(8), piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_pulse_selinux(8), piranha_selinux(8), piranha_web_selinux(8), pkcsslotd_selinux(8), plymouth_selinux(8), plymouthd_selinux(8), podsleuth_selinux(8), policykit_auth_selinux(8), policykit_grant_selinux(8), policykit_resolve_selinux(8), policykit_selinux(8), portmap_helper_selinux(8), portmap_selinux(8), portreserve_selinux(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8), postgresql_selinux(8), postgrey_selinux(8), pppd_selinux(8), pptp_selinux(8), prelink_cron_system_selinux(8), prelink_selinux(8), prelude_audisp_selinux(8), prelude_correlator_selinux(8), prelude_lml_selinux(8), prelude_selinux(8), privoxy_selinux(8), procmail_selinux(8), psad_selinux(8), ptal_selinux(8), ptchown_selinux(8), publicfile_selinux(8), pulseaudio_selinux(8), puppet_selinux(8), puppetmaster_selinux(8), qdiskd_selinux(8), qemu_selinux(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8), qpidd_selinux(8), quantum_selinux(8), quota_nld_selinux(8), quota_selinux(8), racoon_selinux(8), radiusd_selinux(8), radvd_selinux(8), rdisc_selinux(8), readahead_selinux(8), regex_milter_selinux(8), regex_selinux(8), restorecond_selinux(8), rgmanager_selinux(8), rhev_agentd_selinux(8), rhev_selinux(8), rhgb_selinux(8), rhnsd_selinux(8), rhsmcertd_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8), ricci_selinux(8), rlogind_selinux(8), roundup_selinux(8), rpcbind_selinux(8), rpcd_selinux(8), rpm_script_selinux(8), rpm_selinux(8), rshd_selinux(8), rssh_selinux(8), rsync_selinux(8), rtkit_daemon_selinux(8), rtkit_selinux(8), run_init_selinux(8), run_selinux(8), rwho_selinux(8), samba_net_selinux(8), samba_selinux(8), samba_unconfined_script_selinux(8), sambagui_selinux(8), sandbox_selinux(8), sanlock_selinux(8), saslauthd_selinux(8), sblim_gatherd_selinux(8), sblim_reposd_selinux(8), sblim_selinux(8), sectoolm_selinux(8), semanage_selinux(8), sendmail_selinux(8), sensord_selinux(8), setfiles_selinux(8), setkey_selinux(8), setrans_selinux(8), setroubleshoot_fixit_selinux(8), setroubleshoot_selinux(8), setroubleshootd_selinux(8), setsebool_selinux(8), sge_execd_selinux(8), sge_job_selinux(8), sge_selinux(8), sge_shepherd_selinux(8), shorewall_selinux(8), showmount_selinux(8), shutdown_selinux(8), slapd_selinux(8), slpd_selinux(8), smbcontrol_selinux(8), smbmount_selinux(8), smokeping_selinux(8), smoltclient_selinux(8), snmpd_selinux(8), snort_selinux(8), sosreport_selinux(8), soundd_selinux(8), spamass_milter_selinux(8), spamass_selinux(8), spamc_selinux(8), spamd_selinux(8), squid_selinux(8), srvsvcd_selinux(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8), ssh_selinux(8), sshd_selinux(8), sssd_selinux(8), staff_selinux(8), stunnel_selinux(8), sulogin_selinux(8), svc_multilog_selinux(8), svc_run_selinux(8), svc_selinux(8), svc_start_selinux(8), svnserve_selinux(8), swat_selinux(8), sysadm_selinux(8), syslogd_selinux(8), sysstat_selinux(8), tcpd_selinux(8), telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8), telnetd_selinux(8), testapp_selinux(8), tethereal_selinux(8), tftpd_selinux(8), tgtd_selinux(8), thin_selinux(8), tmpreaper_selinux(8), tor_selinux(8), traceroute_selinux(8), tuned_selinux(8), tvtime_selinux(8), tzdata_selinux(8), udev_selinux(8), ulogd_selinux(8), uml_selinux(8), uml_switch_selinux(8), unconfined_notrans_selinux(8), unconfined_selinux(8), update_modules_selinux(8), update_selinux(8), updfstab_selinux(8), updpwd_selinux(8), usbmodules_selinux(8), usbmuxd_selinux(8), user_selinux(8), useradd_selinux(8), usernetctl_selinux(8), utempter_selinux(8), uucpd_selinux(8), uuidd_selinux(8), uux_selinux(8), varnishd_selinux(8), varnishlog_selinux(8), vbetool_selinux(8), vdagent_selinux(8), vhostmd_selinux(8), virt_bridgehelper_selinux(8), virt_qemu_ga_selinux(8), virt_qmf_selinux(8), virtd_selinux(8), vmware_host_selinux(8), vmware_selinux(8), vpnc_selinux(8), wdmd_selinux(8), webadm_selinux(8), webalizer_selinux(8), winbind_helper_selinux(8), winbind_selinux(8), wine_selinux(8), wpa_cli_selinux(8), wpa_selinux(8), xauth_selinux(8), xdm_selinux(8), xenconsoled_selinux(8), xend_selinux(8), xenstored_selinux(8), xfs_selinux(8), xguest_selinux(8), xm_selinux(8), xserver_selinux(8), ypbind_selinux(8), yppasswdd_selinux(8), ypserv_selinux(8), ypxfr_selinux(8), zabbix_selinux(8), zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8), zebra_selinux(8), zos_remote_selinux(8), zos_selinux(8)

Copied to clipboard