Copyright © tutorialspoint.com

semanage - Unix, Linux Command

previous next

Advertisements

NAME

semanage - SELinux Policy Management tool

SYNOPSIS

semanage {login|user|port|interface|fcontext|translation} -l [-n]
semanage login -{a|d|m} [-sr] login_name
semanage user -{a|d|m} [-LrRP] selinux_name
semanage port -{a|d|m} [-tr] [-p protocol] port | port_range
semanage interface -{a|d|m} [-tr] interface_spec
semanage fcontext -{a|d|m} [-frst] file_spec
semanage translation -{a|d|m} [-T] level

DESCRIPTION

semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. This includes the mapping from Linux usernames to SELinux user identities (which controls the initial security context assigned to Linux users when they login and bounds their authorized role set) as well as security context mappings for various kinds of objects, such as network ports, interfaces, and nodes (hosts) as well as the file context mapping. See the EXAMPLES section below for some examples of common usage. Note that the semanage login command deals with the mapping from Linux usernames (logins) to SELinux user identities, while the semanage user command deals with the mapping from SELinux user identities to authorized role sets. In most cases, only the former mapping needs to be adjusted by the administrator; the latter is principally defined by the base policy and usually does not require modification.

OPTIONS

TagDescription
-a, --add
  Add a OBJECT record NAME
-d, --delete
  Delete a OBJECT record NAME
-f, --ftype
  File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
-h, --help
  display this message
-l, --list
  List the OBJECTS
-L, --level
  Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only)
-m, --modify
  Modify a OBJECT record NAME
-n, --noheading
  Do not print heading when listing OBJECTS.
-p, --proto
  Protocol for the specified port (tcp|udp).
-r, --range
  MLS/MCS Security Range (MLS/MCS Systems only)
-R, --role
  SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify -R multiple times.
-P, --prefix
  SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.
-s, --seuser
  SELinux user name
-t, --type
  SELinux Type for the object
-T, --trans
  SELinux Translation

EXAMPLE

# View SELinux user mappings
$ semanage user -l
# Allow joe to login as staff_u
$ semanage login -a -s staff_u joe
# Add file-context for everything under /web (used by restorecon)
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81

AUTHOR

This man page was written by Daniel Walsh <dwalsh@redhat.com> and Russell Coker <rcoker@redhat.com>. Examples by Thomas Bleher <ThomasBleher@gmx.de>.


previous next

Copyright © tutorialspoint.com