LinuxCommandLibrary

semanage

Manage SELinux policy without recompilation

TLDR

Set or unset a SELinux boolean. Booleans allow the administrator to customize how policy rules affect confined process types (a.k.a domains)

$ sudo semanage boolean [[-m|--modify]] [-1|--on|-0|--off] [haproxy_connect_any]
copy

Add a user-defined file context labeling rule. File contexts define what files confined domains are allowed to access
$ sudo semanage fcontext [[-a|--add]] [[-t|--type]] [samba_share_t] '/mnt/share(/.*)?'
copy

Add a user-defined port labeling rule. Port labels define what ports confined domains are allowed to listen on
$ sudo semanage port [[-a|--add]] [[-t|--type]] [ssh_port_t] [[-p|--proto]] [tcp] [22000]
copy

Set or unset permissive mode for a confined domain. Per-domain permissive mode allows more granular control compared to setenforce
$ sudo semanage permissive [-a|--add|-d|--delete] [httpd_t]
copy

Output local customizations in the default store
$ sudo semanage export [[-f|--output_file]] [path/to/file]
copy

Import a file generated by semanage export into local customizations (CAREFUL: may remove current customizations!)
$ sudo semanage import [[-f|--input_file]] [path/to/file]
copy

SYNOPSIS

semanage {command} [options]

PARAMETERS

fcontext
    Manage file context mappings.

port
    Manage port definitions.

boolean
    Manage SELinux boolean values.

user
    Manage SELinux user mappings.

login
    Manage SELinux login mappings.

interface
    Manage SELinux network interface mappings.

-a
    Add a new entry.

-m
    Modify an existing entry.

-d
    Delete an entry.

-l
    List entries.

-n
    No commit. Do not commit the changes to disk.

DESCRIPTION

The semanage command is a powerful tool used for managing SELinux policy without requiring a full policy rebuild. It allows administrators to modify file context mappings, port definitions, boolean values, user mappings, and other aspects of SELinux policy. This is particularly useful for customizing SELinux to meet specific application requirements or to relax overly restrictive rules that might be preventing legitimate system operations.

semanage operates directly on the SELinux policy database, adding, modifying, or deleting entries as needed. Changes made with semanage are persistent across reboots and policy reloads, unlike temporary modifications made directly with commands like chcon. Using semanage ensures that your custom SELinux configurations are properly integrated into the system and are not lost during updates or restarts. It's an essential tool for anyone managing SELinux in a production environment.

CAVEATS

Incorrect usage of semanage can lead to security vulnerabilities or system instability. Always test changes in a non-production environment before applying them to a production system. It's essential to have a thorough understanding of SELinux policies before making modifications.

FILE CONTEXT MANAGEMENT EXAMPLE

Adding a file context: semanage fcontext -a -t httpd_sys_content_t '/var/www/mywebsite(/.*)?'
This command adds a new file context mapping for the directory /var/www/mywebsite and all its subdirectories (using the regular expression '/var/www/mywebsite(/.*)?'). It associates these files with the type 'httpd_sys_content_t', allowing the Apache web server to access them.

PORT MANAGEMENT EXAMPLE

Adding a port definition: semanage port -a -t http_port_t -p tcp 8080
This command adds a port definition, associating TCP port 8080 with the type 'http_port_t'. This allows processes labeled with a type that is permitted to bind to 'http_port_t' to listen on port 8080.

HISTORY

The semanage command was developed as part of the SELinux project to provide a more manageable way to administer SELinux policies. It was created to overcome the complexity of directly editing policy configuration files and rebuilding the entire policy after each change. semanage significantly simplifies the process of customizing SELinux to fit specific environment requirements, making it easier for administrators to maintain secure and functional systems.

SEE ALSO

Copied to clipboard