The Geek Diary

semanage Command Examples in Linux

by

An SELinux security policy defines access parameters for every process and resource on the system. It enforces rules for allowing or denying different domains and types to access each other. Using semanage, we can list, edit, add, or delete the different values in the policy, and even export and import our customizations.

Let’s learn with the help of an example. Let’s see which ports httpd_t can access with:

# semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

As we can see, http_port_t, used by Apache Daemon, is allowed, by default, to use the ports 80, 81, 443, 488, 8008, 9009, 8443, and 9000 via tcp. That means that if we want to run Apache on any of those ports, no changes to policy will be required.

When invoking semanage, it will output that it has some subcommands we can use, such as the following:

  • import: This allows the importing of local modifications.
  • export: This allows the exporting of local changes.
  • login: This allows the login and SELinux user associations to be managed.
  • user: This manages SELinux users with roles and levels.
  • port: This manages port definitions and types.
  • ibpkey: This manages InfiniBand definitions.
  • ibendport: This manages end port InfiniBand definitions.
  • interface: This defines network interface definitions.
  • module: This manages policy modules for SELinux.
  • node: This manages definitions of network nodes.
  • fcontext: This manages file context definitions.
  • boolean: This manages Booleans for tweaking policies.
  • permissive: This manages the enforcing mode.
  • dontaudit: This manages the dontaudit rules in the policy.

semanage Command Examples

1. Output local customizations:

# semanage -S store -o path/to/output_file

2. Take a set of commands from a specified file and load them in a single transaction:

# semanage -S store -i path/to/input_file

3. Manage booleans. Booleans allow the administrator to modify the confinement of processes based on the current configuration:

# semanage boolean -S store --delete|--modify|--list|--noheading|--deleteall -on|-off -F boolean|boolean_file

4. Manage policy modules:

# semanage module -S store --add|--delete|--list|--modify --enable|--disable module_name

5. Disable/Enable dontaudit rules in policy:

# semanage dontaudit -S store on|off

You May Also Like