semanage
Manage SELinux policy without recompilation
TLDR
Set or unset a SELinux boolean. Booleans allow the administrator to customize how policy rules affect confined process types (a.k.a domains)
Add a user-defined file context labeling rule. File contexts define what files confined domains are allowed to access
Add a user-defined port labeling rule. Port labels define what ports confined domains are allowed to listen on
Set or unset permissive mode for a confined domain. Per-domain permissive mode allows more granular control compared to setenforce
Output local customizations in the default store
Import a file generated by semanage export into local customizations (CAREFUL: may remove current customizations!)
SYNOPSIS
semanage {command} [options]
PARAMETERS
fcontext
Manage file context mappings.
port
Manage port definitions.
boolean
Manage SELinux boolean values.
user
Manage SELinux user mappings.
login
Manage SELinux login mappings.
interface
Manage SELinux network interface mappings.
-a
Add a new entry.
-m
Modify an existing entry.
-d
Delete an entry.
-l
List entries.
-n
No commit. Do not commit the changes to disk.
DESCRIPTION
The semanage command is a powerful tool used for managing SELinux policy without requiring a full policy rebuild. It allows administrators to modify file context mappings, port definitions, boolean values, user mappings, and other aspects of SELinux policy. This is particularly useful for customizing SELinux to meet specific application requirements or to relax overly restrictive rules that might be preventing legitimate system operations.
semanage operates directly on the SELinux policy database, adding, modifying, or deleting entries as needed. Changes made with semanage are persistent across reboots and policy reloads, unlike temporary modifications made directly with commands like chcon. Using semanage ensures that your custom SELinux configurations are properly integrated into the system and are not lost during updates or restarts. It's an essential tool for anyone managing SELinux in a production environment.
CAVEATS
Incorrect usage of semanage can lead to security vulnerabilities or system instability. Always test changes in a non-production environment before applying them to a production system. It's essential to have a thorough understanding of SELinux policies before making modifications.
FILE CONTEXT MANAGEMENT EXAMPLE
Adding a file context: semanage fcontext -a -t httpd_sys_content_t '/var/www/mywebsite(/.*)?'
This command adds a new file context mapping for the directory /var/www/mywebsite and all its subdirectories (using the regular expression '/var/www/mywebsite(/.*)?'). It associates these files with the type 'httpd_sys_content_t', allowing the Apache web server to access them.
PORT MANAGEMENT EXAMPLE
Adding a port definition: semanage port -a -t http_port_t -p tcp 8080
This command adds a port definition, associating TCP port 8080 with the type 'http_port_t'. This allows processes labeled with a type that is permitted to bind to 'http_port_t' to listen on port 8080.
HISTORY
The semanage command was developed as part of the SELinux project to provide a more manageable way to administer SELinux policies. It was created to overcome the complexity of directly editing policy configuration files and rebuilding the entire policy after each change. semanage significantly simplifies the process of customizing SELinux to fit specific environment requirements, making it easier for administrators to maintain secure and functional systems.
SEE ALSO
chcon(1), restorecon(8), setsebool(8), getenforce(8), setenforce(8)