commands.sh

semanage

linux

SELinux persistent policy management tool. Some subcommands such as `boolean`, `fcontext`, `port`, etc. have their own usage documentation.

More info →

Subcommands (7)

semanage boolean

Manage persistent SELinux boolean settings. See also: `semanage`, `getsebool`, `setsebool`.

semanage fcontext

Manage persistent SELinux security context rules on files/directories. See also: `semanage`, `matchpathcon`, `secon`, `chcon`, `restorecon`.

semanage interface

Manage SELinux network interface type definitions. See also: `semanage`, `semanage-port`.

semanage-login

Manage SELinux login mappings between Linux users and SELinux users. See also: `semanage`, `semanage-user`.

semanage permissive

Manage persistent SELinux permissive domains. Note that this effectively makes the process unconfined. For long-term use, it is recommended to configure SELinux properly. See also: `semanage`, `getenforce`, `setenforce`.

semanage port

Manage persistent SELinux port definitions. See also: `semanage`.

semanage-user

Manage SELinux user mappings. See also: `semanage`, `semanage-login`.

Options (6)

-m, --modifyboolean

Set or unset a SELinux boolean. Booleans allow the administrator to customize how policy rules affect confined process types (a.k.a domains)

Example: sudo semanage boolean {{[-m|--modify]}} {{--on|--off}} {{haproxy_connect_any}}
-a, --addboolean

Add a user-defined file context labeling rule. File contexts define what files confined domains are allowed to access

Example: sudo semanage fcontext {{[-a|--add]}} {{[-t|--type]}} {{samba_share_t}} '/mnt/share(/.*)?'
-t, --typeboolean

Add a user-defined file context labeling rule. File contexts define what files confined domains are allowed to access

Example: sudo semanage fcontext {{[-a|--add]}} {{[-t|--type]}} {{samba_share_t}} '/mnt/share(/.*)?'
-p, --protoboolean

Add a user-defined port labeling rule. Port labels define what ports confined domains are allowed to listen on

Example: sudo semanage port {{[-a|--add]}} {{[-t|--type]}} {{ssh_port_t}} {{[-p|--proto]}} {{tcp}} {{22000}}
-f, --output_fileboolean

Output local customizations in the default store

Example: sudo semanage export {{[-f|--output_file]}} {{path/to/file}}
-f, --input_fileboolean

Import a file generated by `semanage export` into local customizations (CAREFUL: may remove current customizations!)

Example: sudo semanage import {{[-f|--input_file]}} {{path/to/file}}

Examples (6)

Set or unset a SELinux boolean. Booleans allow the administrator to customize how policy rules affect confined process types (a.k.a domains)

sudo semanage boolean [-m|--modify] --on|--off haproxy_connect_any

Add a user-defined file context labeling rule. File contexts define what files confined domains are allowed to access

sudo semanage fcontext [-a|--add] [-t|--type] samba_share_t '/mnt/share(/.*)?'

Add a user-defined port labeling rule. Port labels define what ports confined domains are allowed to listen on

sudo semanage port [-a|--add] [-t|--type] ssh_port_t [-p|--proto] tcp 22000

Set or unset permissive mode for a confined domain. Per-domain permissive mode allows more granular control compared to `setenforce`

sudo semanage permissive --add|--delete httpd_t

Output local customizations in the default store

sudo semanage export [-f|--output_file] path/to/file

Import a file generated by `semanage export` into local customizations (CAREFUL: may remove current customizations!)

sudo semanage import [-f|--input_file] path/to/file
made by @shridhargupta | data from tldr-pages