Man Linux: Main Page and Category List

NAME

       semanage - SELinux Policy Management tool

SYNOPSIS

       semanage  {boolean|login|user|port|interface|node|fcontext} -{l|D} [-n]
       [-S store]
       semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
       semanage login -{a|d|m} [-sr] login_name | %groupname
       semanage user -{a|d|m} [-LrRP] selinux_name
       semanage port -{a|d|m} [-tr] [-p proto] port | port_range
       semanage interface -{a|d|m} [-tr] interface_spec
       semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address
       semanage fcontext -{a|d|m} [-frst] file_spec
       semanage permissive -{a|d} type
       semanage -i command-file
       semanage dontaudit [ on | off ]

DESCRIPTION

       semanage is used  to  configure  certain  elements  of  SELinux  policy
       without requiring modification to or recompilation from policy sources.
       This  includes  the  mapping  from  Linux  usernames  to  SELinux  user
       identities  (which  controls  the  initial security context assigned to
       Linux users when they login and bounds their authorized  role  set)  as
       well as security context mappings for various kinds of objects, such as
       network ports, interfaces, and  nodes  (hosts)  as  well  as  the  file
       context  mapping.  See  the EXAMPLES section below for some examples of
       common usage.  Note that the semanage  login  command  deals  with  the
       mapping from Linux usernames (logins) to SELinux user identities, while
       the semanage user command deals with  the  mapping  from  SELinux  user
       identities  to  authorized  role  sets.  In most cases, only the former
       mapping needs to be  adjusted  by  the  administrator;  the  latter  is
       principally  defined  by  the  base policy and usually does not require
       modification.

OPTIONS

       -a, --add
              Add a OBJECT record NAME

       -d, --delete
              Delete a OBJECT record NAME

       -D, --deleteall
              Remove all OBJECTS local customizations

       -f, --ftype
              File Type.   This is used with fcontext.  Requires a  file  type
              as  shown  in  the  mode  field by ls, e.g. use -d to match only
              directories or -- to match only regular files.

       -F, --file
              Set multiple records from the input file.  When used with the -l
              --list,  it  will  output  the current settings to stdout in the
              proper format.

              Currently booleans only.

       -h, --help
              display this message

       -l, --list
              List the OBJECTS

       -C, --locallist
              List only locally defined settings, not base policy settings.

       -L, --level
              Default SELinux Level for  SELinux  use,  s0  Default.  (MLS/MCS
              Systems only)

       -m, --modify
              Modify a OBJECT record NAME

       -n, --noheading
              Do not print heading when listing OBJECTS.

       -p, --proto
              Protocol  for  the specified port (tcp|udp) or internet protocol
              version for the specified node (ipv4|ipv6).

       -r, --range
              MLS/MCS Security Range (MLS/MCS Systems only)

       -R, --role
              SELinux Roles.  You must enclose multiple roles  within  quotes,
              separate by spaces. Or specify -R multiple times.

       -P, --prefix
              SELinux  Prefix.   Prefix  added  to  home_dir_t  and home_t for
              labeling users home directories.

       -s, --seuser
              SELinux user name

       -S, --store
              Select and alternate SELinux store to manage

       -t, --type
              SELinux Type for the object

       -i     Take a set of commands from a specified file and load them in  a
              single transaction.

EXAMPLE

       # View SELinux user mappings
       $ semanage user -l
       # Allow joe to login as staff_u
       $ semanage login -a -s staff_u joe
       # Allow the group clerks to login as user_u
       $ semanage login -a -s user_u %clerks
       # Add file-context for everything under /web (used by restorecon)
       $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
       # Allow Apache to listen on port 81
       $ semanage port -a -t http_port_t -p tcp 81
       # Change apache to a permissive domain
       $ semanage permissive -a httpd_t
       # Turn off dontaudit rules
       $ semanage dontaudit off

AUTHOR

       This  man  page  was  written  by  Daniel Walsh <dwalsh@redhat.com> and
       Russell  Coker  <rcoker@redhat.com>.    Examples   by   Thomas   Bleher
       <ThomasBleher@gmx.de>.

                                  2005111103                       semanage(8)