semanage

Set or unset a SELinux boolean. Booleans allow the administrator to customize how policy rules affect confined process types (a.k.a domains)

$ sudo semanage boolean [[-m|--modify]] [--on|--off] [haproxy_connect_any]

$ sudo semanage fcontext [[-a|--add]] [[-t|--type]] [samba_share_t] '/mnt/share(/.*)?'

$ sudo semanage port [[-a|--add]] [[-t|--type]] [ssh_port_t] [[-p|--proto]] [tcp] [22000]

$ sudo semanage permissive [--add|--delete] [httpd_t]

$ sudo semanage export [[-f|--output_file]] [path/to/file]

$ sudo semanage import [[-f|--input_file]] [path/to/file]

semanage [options] { fcontext | port | boolean | user | login | interface | node | permissive | dontaudit } { -a | -d | -m | -l } [specific-options] [arguments]

semanage [options] { fcontext } { -E | --export | -i | --import } [filename]

semanage { -h | --help | -V | --version }

Common Object Types:
fcontext: Manage file contexts (e.g., directories, files, symlinks).
port: Manage network port contexts.
boolean: Manage SELinux booleans.
user: Manage SELinux user mappings.
login: Manage SELinux user login mappings.
interface: Manage network interface contexts.

Common Commands/Actions:
-a, --add: Add a record.
-d, --delete: Delete a record.
-m, --modify: Modify an existing record.
-l, --list: List records.
-E, --export: Export current customizations (e.g., for fcontext rules).
-i, --import: Import customizations from a file (e.g., for fcontext rules).

-S SELEVEL, --store SELEVEL
    Specify the policy store to operate on. Common values include local (default, for customizations) or module.

-N, --noreload
    Do not reload the SELinux policy after making changes. This is useful for batch operations where a single reload at the end is desired.

-C, --customization
    Operate only on the local customization files, ignoring the base policy. Generally used with -l, -a, -d, -m.

-h, --help
    Display a help message and exit.

-V, --version
    Display version information and exit.

semanage is a crucial command-line utility for administering SELinux policy configurations. It provides a high-level interface to manage various SELinux objects and their associated rules, ensuring that changes persist across system reboots. Unlike commands like chcon or setsebool which apply temporary context changes or immediate boolean settings, semanage modifies the underlying SELinux policy store. This makes it the primary tool for making permanent adjustments to how SELinux labels files, ports, network interfaces, and other system resources.

Administrators use semanage to define custom file contexts (e.g., for new directories or applications), open specific network ports for services, manage SELinux booleans, define SELinux user mappings, and control network interface labeling. It interacts directly with the SELinux policy loaded into the kernel, by default reloading the policy after a change to ensure immediate enforcement. Its comprehensive capabilities simplify the complex task of tailoring SELinux security policies to specific system requirements while maintaining system security and integrity.

semanage requires root privileges to execute. Incorrect use can lead to serious security vulnerabilities or make the system unbootable/unstable if critical contexts are mislabeled. Changes made by semanage are persistent and take effect immediately (unless -N is used) by reloading the SELinux policy, which can briefly impact system performance. It does not directly modify the kernel's active policy; instead, it modifies the policy store, and then tells the kernel to reload the policy from that store. Care must be taken when managing file contexts to ensure regular restorecon operations or system reboots properly apply the new contexts.

Changes made with semanage are by default loaded into the kernel immediately (unless the -N option is used) and are written to persistent configuration files. This ensures that the new SELinux rules are enforced right away and will remain active after system reboots. For file contexts, while semanage fcontext defines the rules for labeling, actual relabeling of files requires running restorecon or a full system relabel.

When semanage fcontext is used to add or modify file context rules, these rules are applied when files are created or relabeled. To apply new or modified file context rules to existing files, the restorecon command (or fixfiles) must be executed. restorecon uses the rules defined by semanage fcontext to correctly set the SELinux context on files and directories.

semanage emerged as part of the SELinux ecosystem to address the need for a standardized, high-level tool to manage persistent SELinux policy configurations. Early SELinux management often involved direct manipulation of policy source files, compiling, and loading, or using more specific, lower-level commands that lacked a unified interface for persistent changes. semanage was developed to abstract this complexity, providing a consistent command-line interface for managing various SELinux objects like file contexts, ports, and booleans. Its introduction significantly simplified the administration of custom SELinux policies, making it more accessible for system administrators to tailor SELinux behavior without deep policy language expertise. It continues to be a core utility in modern SELinux-enabled Linux distributions.

restorecon(8), setsebool(8), chcon(1), sepolicy(8), selinux(8), audit2allow(1), fixfiles(8)