semanage(8) - Linux man page

Name

semanage - SELinux Policy Management tool

Synopsis

semanage {login|user|port|interface|fcontext|translation} -l [-n]
semanage login -{a|d|m} [-sr] login_name
semanage user -{a|d|m} [-LrRP] selinux_name
semanage port -{a|d|m} [-tr] [-p protocol] port | port_range
semanage interface -{a|d|m} [-tr] interface_spec
semanage fcontext -{a|d|m} [-frst] file_spec
semanage translation -{a|d|m} [-T] level

Description

semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. This includes the mapping from Linux usernames to SELinux user identities (which controls the initial security context assigned to Linux users when they login and bounds their authorized role set) as well as security context mappings for various kinds of objects, such as network ports, interfaces, and nodes (hosts) as well as the file context mapping. See the EXAMPLES section below for some examples of common usage. Note that the semanage login command deals with the mapping from Linux usernames (logins) to SELinux user identities, while the semanage user command deals with the mapping from SELinux user identities to authorized role sets. In most cases, only the former mapping needs to be adjusted by the administrator; the latter is principally defined by the base policy and usually does not require modification.

Options

-a, --add

Add a OBJECT record NAME

-d, --delete

Delete a OBJECT record NAME

-f, --ftype

File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.

-h, --help

display this message

-l, --list

List the OBJECTS

-L, --level

Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only)

-m, --modify

Modify a OBJECT record NAME

-n, --noheading

Do not print heading when listing OBJECTS.

-p, --proto

Protocol for the specified port (tcp|udp).

-r, --range

MLS/MCS Security Range (MLS/MCS Systems only)

-R, --role

SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify -R multiple times.

-P, --prefix

SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.

-s, --seuser

SELinux user name

-t, --type

SELinux Type for the object

-T, --trans

SELinux Translation

Example

# View SELinux user mappings
$ semanage user -l
# Allow joe to login as staff_u
$ semanage login -a -s staff_u joe
# Add file-context for everything under /web (used by restorecon)
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81

Author

This man page was written by Daniel Walsh <dwalsh@redhat.com> and Russell Coker <rcoker@redhat.com>. Examples by Thomas Bleher <ThomasBleher@gmx.de>.

Referenced By

chcat(8)

site search Google Custom Search

Library

online dictionary

linux docs

linux man pages

page load time

Toys

world sunlight

moon phase

trace explorer