semanage
SELinux Policy Management tool
TLDR
Set or unset a SELinux boolean. Booleans allow the administrator to customize how policy rules affect confined process types (a.k.a domains)
Add a user-defined file context labeling rule. File contexts define what files confined domains are allowed to access
Add a user-defined port labeling rule. Port labels define what ports confined domains are allowed to listen on
Set or unset permissive mode for a confined domain. Per-domain permissive mode allows more granular control compared to setenforce
Output local customizations in the default store
Import a file generated by semanage export into local customizations (CAREFUL: may remove current customizations!)
Name
semanage - SELinux Policy Management tool
Synopsis
Output local customizations
semanage [ -S store ] -o [ output_file | - ]
Input local customizations
semanage [ -S store ] -i [ input_file | - ]
Manage booleans. Booleans allow the administrator to modify the confinement of processes based on his configuration.
semanage boolean [-S store] -{d|m|l|n|D} -[-on|-off|1|0] -F boolean | boolean_file
Manage SELinux confined users (Roles and levels for an SELinux user)
semanage user [-S store] -{a|d|m|l|n|D} [-LrRP] selinux_name
Manage login mappings between linux users and SELinux confined users.
semanage login [-S store] -{a|d|m|l|n|D} [-sr] login_name | %groupname
Manage policy modules.
semanage module [-S store] -{a|d|l} [-m [--enable | --disable] ] module_name
Manage network port type definitions
semanage port [-S store] -{a|d|m|l|n|D} [-tr] [-p proto] port | port_range
Manage network interface type definitions
semanage interface [-S store] -{a|d|m|l|n|D} [-tr] interface_spec
Manage network node type definitions
semanage node [-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address
Manage file context mapping definitions
semanage fcontext [-S store] -{a|d|m|l|n|D} [-frst] file_spec
semanage fcontext [-S store] -{a|d|m|l|n|D} -e replacement target
Manage processes type enforcement mode
semanage permissive [-S store] -{a|d|l|n|D} type
Disable/Enable dontaudit rules in policy
semanage dontaudit [-S store] [ on | off ]
Execute multiple commands within a single transaction.
semanage [-S store] -i command-file
Description
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. This includes the
mapping from Linux usernames to SELinux user identities (which controls the initial security context assigned to Linux users when they login and bounds their
authorized role set) as well as security context mappings for various kinds of objects, such as network ports, interfaces, and nodes (hosts) as well as the
file context mapping. See the EXAMPLES section below for some examples of common usage. Note that the semanage login command deals with the mapping from Linux
usernames (logins) to SELinux user identities, while the semanage user command deals with the mapping from SELinux user identities to authorized role sets. In
most cases, only the former mapping needs to be adjusted by the administrator; the latter is principally defined by the base policy and usually does not
require modification.
Options
-a, --add
Add a OBJECT record NAME-d, --deleteDelete a OBJECT record NAME-D, --deleteallRemove all OBJECTS local customizations--disableDisable a policy module, requires -m option
Currently modules only.
--enableEnable a disabled policy module, requires -m optionCurrently modules only.
-e, --equalSubstitute target path with sourcepath when generating default label. This is used with fcontext. Requires source and target path arguments. The context labeling for the target subtree is made equivalent to that defined for the source.-f, --ftypeFile Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.-F, --fileSet multiple records from the input file. When used with the -l --list, it will output the current settings to stdout in the proper format.Currently booleans only.
-h, --helpdisplay this message-l, --listList the OBJECTS-C, --locallistList only locally defined settings, not base policy settings.-E, --extractExtract customizable commands-L, --levelDefault SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only)-m, --modifyModify a OBJECT record NAME-M, --maskNetwork Mask-n, --noheadingDo not print heading when listing OBJECTS. -o, --output Output current customizations as semanage commands-p, --protoProtocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).-r, --rangeMLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0-s0:c0.c1023.-R, --roleSELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify -R multiple times.-P, --prefixSELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.-s, --seuserSELinux user name-S, --storeSelect and alternate SELinux store to manage-t, --typeSELinux Type for the object-i, --inputTake a set of commands from a specified file and load them in a single transaction.Example
SELinux userList SELinux users # SELinux loginChange joe to login as staff_u # File contextsAdd file-context for everything under /web # Port contextsAllow Apache to listen on tcp port 81 # Change apache to a permissive domain# Turn off dontaudit rules# Managing multiple machinesMultiple machines that need the same customizations. Extract customizations off first machine, copy them to second and import them. #
Author
This man page was written by Daniel Walsh <dwalsh@redhat.com>
and Russell Coker <rcoker@redhat.com>.
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
Referenced By
abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_selinux(8), accountsd_selinux(8), acct_selinux(8), ada_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_selinux(8), afs_vlserver_selinux(8), aiccu_selinux(8), aide_selinux(8), aisexec_selinux(8), alsa_selinux(8), amanda_recover_selinux(8), amanda_selinux(8), amavis_selinux(8), amtu_selinux(8), apcupsd_selinux(8), apm_selinux(8), apmd_selinux(8), arpwatch_selinux(8), asterisk_selinux(8), audisp_remote_selinux(8), audisp_selinux(8), auditctl_selinux(8), auditd_selinux(8), automount_selinux(8), avahi_selinux(8), awstats_selinux(8), bcfg2_selinux(8), bitlbee_selinux(8), bluetooth_helper_selinux(8), bluetooth_selinux(8), boinc_selinux(8), bootloader_selinux(8), brctl_selinux(8), cachefilesd_selinux(8), calamaris_selinux(8), canna_selinux(8), cardmgr_selinux(8), ccs_selinux(8), cdcc_selinux(8), cdrecord_selinux(8), certmaster_selinux(8), certmonger_selinux(8), certmonger_unconfined_selinux(8), certwatch_selinux(8), cfengine_execd_selinux(8), cfengine_monitord_selinux(8), cfengine_selinux(8), cfengine_serverd_selinux(8), cgclear_selinux(8), cgconfig_selinux(8), cgred_selinux(8), chcat(8), checkpc_selinux(8), checkpolicy_selinux(8), chfn_selinux(8), chkpwd_selinux(8), chrome_sandbox_nacl_selinux(8), chrome_sandbox_selinux(8), chrome_selinux(8), chronyd_selinux(8), ciped_selinux(8), clamd_selinux(8), clamscan_selinux(8), clogd_selinux(8), clvmd_selinux(8), cmirrord_selinux(8), cobblerd_selinux(8), comsat_selinux(8), condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8), consolekit_selinux(8), consoletype_selinux(8), corosync_selinux(8), courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8), cpucontrol_selinux(8), cpufreqselector_selinux(8), cpuspeed_selinux(8), crack_selinux(8), crond_selinux(8), crontab_selinux(8), ctdbd_selinux(8), cups_pdf_selinux(8), cups_selinux(8), cupsd_config_selinux(8), cupsd_lpd_selinux(8), cupsd_selinux(8), cvs_selinux(8), cyphesis_selinux(8), cyrus_selinux(8), dbskkd_selinux(8), dcc_client_selinux(8), dcc_dbclean_selinux(8), dcc_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8), dcerpcd_selinux(8), deltacloudd_selinux(8), denyhosts_selinux(8), depmod_selinux(8), devicekit_disk_selinux(8), devicekit_power_selinux(8), devicekit_selinux(8), dhcpc_selinux(8), dhcpd_selinux(8), dictd_selinux(8), dirsrv_selinux(8), dirsrv_snmp_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_unconfined_script_selinux(8), dkim_milter_selinux(8), dkim_selinux(8), dlm_controld_selinux(8), dlm_selinux(8), dmesg_selinux(8), dmidecode_selinux(8), dnsmasq_selinux(8), dovecot_auth_selinux(8), dovecot_deliver_selinux(8), dovecot_selinux(8), drbd_selinux(8), dspam_selinux(8), entropyd_selinux(8), ethereal_selinux(8), eventlogd_selinux(8), evtchnd_selinux(8), exim_selinux(8), fail2ban_selinux(8), fcoemon_selinux(8), fenced_selinux(8), fetchmail_selinux(8), fingerd_selinux(8), firewallgui_selinux(8), firstboot_selinux(8), foghorn_selinux(8), fprintd_selinux(8), freshclam_selinux(8), fsadm_selinux(8), fsdaemon_selinux(8), ftpd_selinux(8), ftpdctl_selinux(8), games_selinux(8), gconfd_selinux(8), gconfdefaultsm_selinux(8), getty_selinux(8), gfs_controld_selinux(8), gfs_selinux(8), git_shell_selinux(8), gitosis_selinux(8), glance_api_selinux(8), glance_registry_selinux(8), glusterd_selinux(8), gnomeclock_selinux(8), gnomesystemmm_selinux(8), gpg_agent_selinux(8), gpg_helper_selinux(8), gpg_selinux(8), gpm_selinux(8), gpsd_selinux(8), greylist_milter_selinux(8), greylist_selinux(8), groupadd_selinux(8), groupd_selinux(8), gssd_selinux(8), guest_selinux(8), hald_acl_selinux(8), hald_dccm_selinux(8), hald_keymap_selinux(8), hald_mac_selinux(8), hald_selinux(8), hald_sonypic_selinux(8), hddtemp_selinux(8), hostname_selinux(8), hotplug_selinux(8), howl_selinux(8), hplip_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_mediawiki_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_unconfined_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), hwclock_selinux(8), iceauth_selinux(8), icecast_selinux(8), ifconfig_selinux(8), inetd_child_selinux(8), inetd_selinux(8), init_selinux(8), initrc_selinux(8), innd_selinux(8), insmod_selinux(8), ipsec_mgmt_selinux(8), ipsec_selinux(8), iptables_selinux(8), irc_selinux(8), irqbalance_selinux(8), irssi_selinux(8), iscsid_selinux(8), iwhd_selinux(8), jabberd_router_selinux(8), jabberd_selinux(8), java_selinux(8), kadmind_selinux(8), kdump_selinux(8), kdumpgui_selinux(8), kerneloops_selinux(8), keystone_selinux(8), kismet_selinux(8), klogd_selinux(8), kpropd_selinux(8), krb5kdc_selinux(8), ksmtuned_selinux(8), ktalkd_selinux(8), kudzu_selinux(8), l2tpd_selinux(8), ldconfig_selinux(8), lircd_selinux(8), livecd_selinux(8), lldpad_selinux(8), load_policy_selinux(8), load_selinux(8), loadkeys_selinux(8), locate_selinux(8), lockdev_selinux(8), logadm_selinux(8), logrotate_selinux(8), logwatch_selinux(8), lpd_selinux(8), lpr_selinux(8), lsassd_selinux(8), lvm_selinux(8), lwiod_selinux(8), lwregd_selinux(8), lwsmd_selinux(8), mailman_cgi_selinux(8), mailman_mail_selinux(8), mailman_queue_selinux(8), mailman_selinux(8), matahari_hostd_selinux(8), matahari_netd_selinux(8), matahari_rpcd_selinux(8), matahari_selinux(8), matahari_serviced_selinux(8), matahari_sysconfigd_selinux(8), mcelog_selinux(8), mdadm_selinux(8), memcached_selinux(8), mencoder_selinux(8), modemmanager_selinux(8), mongod_selinux(8), mono_selinux(8), mount_selinux(8), mozilla_plugin_config_selinux(8), mozilla_plugin_selinux(8), mozilla_selinux(8), mpd_selinux(8), mplayer_selinux(8), mrtg_selinux(8), munin_disk_plugin_selinux(8), munin_mail_plugin_selinux(8), munin_selinux(8), munin_selinux_plugin_selinux(8), munin_services_plugin_selinux(8), munin_system_plugin_selinux(8), munin_unconfined_plugin_selinux(8), mysqld_safe_selinux(8), mysqld_selinux(8), mysqlmanagerd_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8), named_selinux(8), namespace_init_selinux(8), namespace_selinux(8), ncftool_selinux(8), ndc_selinux(8), netlabel_mgmt_selinux(8), netlabel_selinux(8), netlogond_selinux(8), netutils_selinux(8), networkmanager_selinux(8), newrole_selinux(8), nfsd_selinux(8), nmbd_selinux(8), nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8), nrpe_selinux(8), nscd_selinux(8), nslcd_selinux(8), nsplugin_config_selinux(8), nsplugin_selinux(8), ntop_selinux(8), ntpd_selinux(8), numad_selinux(8), nut_selinux(8), nut_upsd_selinux(8), nut_upsdrvctl_selinux(8), nut_upsmon_selinux(8), nx_selinux(8), nx_server_selinux(8), oddjob_mkhomedir_selinux(8), oddjob_selinux(8), openct_selinux(8), openoffice_selinux(8), openshift_cgroup_read_selinux(8), openshift_initrc_selinux(8), openvpn_selinux(8), openvswitch_ovsdb_server_selinux(8), openvswitch_ovsv_switchd_selinux(8), pacemaker_selinux(8), pads_selinux(8), pam_console_selinux(8), passenger_selinux(8), passwd_selinux(8), pcscd_selinux(8), pegasus_selinux(8), ping_selinux(8), pingd_selinux(8), piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_pulse_selinux(8), piranha_selinux(8), piranha_web_selinux(8), pkcsslotd_selinux(8), plymouth_selinux(8), plymouthd_selinux(8), podsleuth_selinux(8), policykit_auth_selinux(8), policykit_grant_selinux(8), policykit_resolve_selinux(8), policykit_selinux(8), portmap_helper_selinux(8), portmap_selinux(8), portreserve_selinux(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8), postgresql_selinux(8), postgrey_selinux(8), pppd_selinux(8), pptp_selinux(8), prelink_cron_system_selinux(8), prelink_selinux(8), prelude_audisp_selinux(8), prelude_correlator_selinux(8), prelude_lml_selinux(8), prelude_selinux(8), privoxy_selinux(8), procmail_selinux(8), psad_selinux(8), ptal_selinux(8), ptchown_selinux(8), publicfile_selinux(8), pulseaudio_selinux(8), puppet_selinux(8), puppetmaster_selinux(8), qdiskd_selinux(8), qemu_selinux(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8), qpidd_selinux(8), quantum_selinux(8), quota_nld_selinux(8), quota_selinux(8), racoon_selinux(8), radiusd_selinux(8), radvd_selinux(8), rdisc_selinux(8), readahead_selinux(8), regex_milter_selinux(8), regex_selinux(8), restorecond_selinux(8), rgmanager_selinux(8), rhev_agentd_selinux(8), rhev_selinux(8), rhgb_selinux(8), rhnsd_selinux(8), rhsmcertd_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8), ricci_selinux(8), rlogind_selinux(8), roundup_selinux(8), rpcbind_selinux(8), rpcd_selinux(8), rpm_script_selinux(8), rpm_selinux(8), rshd_selinux(8), rssh_selinux(8), rsync_selinux(8), rtkit_daemon_selinux(8), rtkit_selinux(8), run_init_selinux(8), run_selinux(8), rwho_selinux(8), samba_net_selinux(8), samba_selinux(8), samba_unconfined_script_selinux(8), sambagui_selinux(8), sandbox_selinux(8), sanlock_selinux(8), saslauthd_selinux(8), sblim_gatherd_selinux(8), sblim_reposd_selinux(8), sblim_selinux(8), sectoolm_selinux(8), semanage_selinux(8), sendmail_selinux(8), sensord_selinux(8), setfiles_selinux(8), setkey_selinux(8), setrans_selinux(8), setroubleshoot_fixit_selinux(8), setroubleshoot_selinux(8), setroubleshootd_selinux(8), setsebool_selinux(8), sge_execd_selinux(8), sge_job_selinux(8), sge_selinux(8), sge_shepherd_selinux(8), shorewall_selinux(8), showmount_selinux(8), shutdown_selinux(8), slapd_selinux(8), slpd_selinux(8), smbcontrol_selinux(8), smbmount_selinux(8), smokeping_selinux(8), smoltclient_selinux(8), snmpd_selinux(8), snort_selinux(8), sosreport_selinux(8), soundd_selinux(8), spamass_milter_selinux(8), spamass_selinux(8), spamc_selinux(8), spamd_selinux(8), squid_selinux(8), srvsvcd_selinux(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8), ssh_selinux(8), sshd_selinux(8), sssd_selinux(8), staff_selinux(8), stunnel_selinux(8), sulogin_selinux(8), svc_multilog_selinux(8), svc_run_selinux(8), svc_selinux(8), svc_start_selinux(8), svnserve_selinux(8), swat_selinux(8), sysadm_selinux(8), syslogd_selinux(8), sysstat_selinux(8), tcpd_selinux(8), telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8), telnetd_selinux(8), testapp_selinux(8), tethereal_selinux(8), tftpd_selinux(8), tgtd_selinux(8), thin_selinux(8), tmpreaper_selinux(8), tor_selinux(8), traceroute_selinux(8), tuned_selinux(8), tvtime_selinux(8), tzdata_selinux(8), udev_selinux(8), ulogd_selinux(8), uml_selinux(8), uml_switch_selinux(8), unconfined_notrans_selinux(8), unconfined_selinux(8), update_modules_selinux(8), update_selinux(8), updfstab_selinux(8), updpwd_selinux(8), usbmodules_selinux(8), usbmuxd_selinux(8), user_selinux(8), useradd_selinux(8), usernetctl_selinux(8), utempter_selinux(8), uucpd_selinux(8), uuidd_selinux(8), uux_selinux(8), varnishd_selinux(8), varnishlog_selinux(8), vbetool_selinux(8), vdagent_selinux(8), vhostmd_selinux(8), virt_bridgehelper_selinux(8), virt_qemu_ga_selinux(8), virt_qmf_selinux(8), virtd_selinux(8), vmware_host_selinux(8), vmware_selinux(8), vpnc_selinux(8), wdmd_selinux(8), webadm_selinux(8), webalizer_selinux(8), winbind_helper_selinux(8), winbind_selinux(8), wine_selinux(8), wpa_cli_selinux(8), wpa_selinux(8), xauth_selinux(8), xdm_selinux(8), xenconsoled_selinux(8), xend_selinux(8), xenstored_selinux(8), xfs_selinux(8), xguest_selinux(8), xm_selinux(8), xserver_selinux(8), ypbind_selinux(8), yppasswdd_selinux(8), ypserv_selinux(8), ypxfr_selinux(8), zabbix_selinux(8), zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8), zebra_selinux(8), zos_remote_selinux(8), zos_selinux(8)