semanage-interface

List all interface type definitions

$ sudo semanage interface [[-l|--list]]

$ sudo semanage interface [[-a|--add]] [[-t|--type]] [type_name] [interface_name]

$ sudo semanage interface [[-d|--delete]] [interface_name]

$ sudo semanage interface [[-m|--modify]] [[-t|--type]] [type_name] [interface_name]

$ sudo semanage interface [[-l|--list]] [[-C|--locallist]]

semanage interface -a -t type [-r range] interface_name
semanage interface -d interface_name
semanage interface -m -t type [-r range] interface_name
semanage interface -l [-n]
semanage interface -D
semanage interface -E

-a
    Add a new SELinux interface definition to the local policy.

-d
    Delete an existing SELinux interface definition from the local policy.

-m
    Modify an existing SELinux interface definition in the local policy.

-l
    List all currently configured SELinux interface definitions.

-t type
    Specify the SELinux type to associate with the network interface. This option is mandatory for add (-a) and modify (-m) operations.

-r range
    Specify the MLS/MCS (Multi-Level Security/Multi-Category Security) range for the interface. This is an optional parameter, primarily used in environments requiring fine-grained sensitivity labels.

interface_name
    The name of the network interface (e.g., eth0, ens33, wlan0) to which the SELinux definition applies. This is mandatory for add, delete, and modify operations.

-n
    When used with the list (-l) option, this displays numbers for each entry, which can be useful for scripting or referencing specific entries.

-D
    Delete all local SELinux interface customizations, reverting all interface definitions to the policy's default settings.

-E
    Restore the SELinux policy to its default interface definitions by removing all local customizations and rebuilding the policy. This is similar to -D but explicitly rebuilds the policy.

The semanage interface command is a subcommand of semanage, used for managing SELinux type definitions associated with network interfaces. It allows administrators to add, delete, modify, or list SELinux type and MLS/MCS range mappings for specific network interfaces.

By controlling these mappings, SELinux can enforce fine-grained access control on network communications, ensuring that only authorized processes can interact with network resources via specific interfaces. For example, you might define a specific type for a management interface to restrict which services can bind to it, enhancing network segmentation and security. These configurations are stored in the local SELinux policy, making them persistent across reboots and policy reloads. This tool is crucial for tailoring SELinux policy to an organization's specific network security requirements, especially in environments where secure communication is paramount. Misconfigurations can lead to network service disruptions, so careful planning and testing are recommended.

Using semanage interface requires root privileges. Changes made are immediately effective and persistently stored in the local policy, taking precedence over default policy definitions. Incorrectly configuring network interface types can lead to network services failing to start or operate correctly, potentially disrupting network connectivity or isolating the system. Always test changes thoroughly in a controlled environment before deploying to production systems.

SELinux assigns a security context (typically in the format user:role:type:level) to every object on the system, including network interfaces. The type component is the primary attribute used for making access control decisions. By assigning a specific SELinux type to a network interface using semanage interface, the system can enforce rules about which processes (based on their own SELinux type) are allowed to access, bind to, or send/receive data through that particular interface. The optional range (MLS/MCS level) provides an additional layer of sensitivity and confidentiality control, primarily used in multi-level security architectures.

Unlike temporary changes made with commands such as chcon, modifications applied with semanage interface are stored in a local policy customization file (e.g., within /etc/selinux/targeted/modules/active/semanage_*.conf or similar locations). These local changes are then compiled into the active SELinux policy every time the policy is loaded, ensuring that your custom interface type definitions persist across system reboots and SELinux policy reloads. This mechanism guarantees consistency and reliability in your SELinux enforcement, preventing configurations from being lost.

The semanage utility, including its interface subcommand, was developed as a key part of the SELinux toolset to simplify the management of local policy customizations. Prior to tools like semanage, administrators often had to engage in more complex policy source compilation to make such modifications. semanage abstracts this complexity, allowing for easier management of specific SELinux policy components like network interface types, file contexts, ports, and users without requiring deep knowledge of the underlying SELinux policy language. Its introduction marked a significant step towards making SELinux more accessible and manageable in enterprise and production environments, improving its overall usability and adoption.

semanage(8), setsebool(8), getsebool(8), restorecon(8), chcon(1), sepolicy(8)