semanage

Set or unset a SELinux boolean. Booleans allow the administrator to customize how policy rules affect confined process types (a.k.a domains)

$ sudo semanage boolean [[-m|--modify]] [-1|--on|-0|--off] [haproxy_connect_any]

$ sudo semanage fcontext [[-a|--add]] [[-t|--type]] [samba_share_t] '/mnt/share(/.*)?'

$ sudo semanage port [[-a|--add]] [[-t|--type]] [ssh_port_t] [[-p|--proto]] [tcp] [22000]

$ sudo semanage permissive [-a|--add|-d|--delete] [httpd_t]

$ sudo semanage export [[-f|--output_file]] [path/to/file]

$ sudo semanage import [[-f|--input_file]] [path/to/file]

semanage {command} [options]

fcontext
    Manage file context mappings.

port
    Manage port definitions.

boolean
    Manage SELinux boolean values.

user
    Manage SELinux user mappings.

login
    Manage SELinux login mappings.

interface
    Manage SELinux network interface mappings.

-a
    Add a new entry.

-m
    Modify an existing entry.

-d
    Delete an entry.

-l
    List entries.

-n
    No commit. Do not commit the changes to disk.

The semanage command is a powerful tool used for managing SELinux policy without requiring a full policy rebuild. It allows administrators to modify file context mappings, port definitions, boolean values, user mappings, and other aspects of SELinux policy. This is particularly useful for customizing SELinux to meet specific application requirements or to relax overly restrictive rules that might be preventing legitimate system operations.

semanage operates directly on the SELinux policy database, adding, modifying, or deleting entries as needed. Changes made with semanage are persistent across reboots and policy reloads, unlike temporary modifications made directly with commands like chcon. Using semanage ensures that your custom SELinux configurations are properly integrated into the system and are not lost during updates or restarts. It's an essential tool for anyone managing SELinux in a production environment.

Incorrect usage of semanage can lead to security vulnerabilities or system instability. Always test changes in a non-production environment before applying them to a production system. It's essential to have a thorough understanding of SELinux policies before making modifications.

Adding a file context: semanage fcontext -a -t httpd_sys_content_t '/var/www/mywebsite(/.*)?'
This command adds a new file context mapping for the directory /var/www/mywebsite and all its subdirectories (using the regular expression '/var/www/mywebsite(/.*)?'). It associates these files with the type 'httpd_sys_content_t', allowing the Apache web server to access them.

Adding a port definition: semanage port -a -t http_port_t -p tcp 8080
This command adds a port definition, associating TCP port 8080 with the type 'http_port_t'. This allows processes labeled with a type that is permitted to bind to 'http_port_t' to listen on port 8080.

The semanage command was developed as part of the SELinux project to provide a more manageable way to administer SELinux policies. It was created to overcome the complexity of directly editing policy configuration files and rebuilding the entire policy after each change. semanage significantly simplifies the process of customizing SELinux to fit specific environment requirements, making it easier for administrators to maintain secure and functional systems.

chcon(1), restorecon(8), setsebool(8), getenforce(8), setenforce(8)