Home > Package & System Management > semanage

semanage: SELinux Policy Management

semanage is a command-line tool used for managing SELinux (Security-Enhanced Linux) policies. It allows you to add, modify, delete, and list various SELinux policy elements, including file contexts, network ports, booleans, and user mappings. It helps ensure that applications and services operate securely by providing fine-grained control over your system's security policy.

Overview

semanage is used for making persistent changes to SELinux policies. While `chcon` or `restorecon` apply temporary or existing policies, `semanage` defines new policy rules and ensures they persist across system reboots.

Key Management Targets

The main SELinux policy elements that can be managed with semanage.

  • File Contexts: Assigning SELinux types to files and directories at specific paths.
  • Network Ports: Assigning SELinux types to specific network ports.
  • SELinux Booleans: Switches that enable or disable specific behaviors of the SELinux policy.
  • SELinux User Mappings: Mapping Linux users to SELinux users.

Key Options

semanage manages policies for various SELinux object types. This section describes common options used with each object type.

General Management Options

Object Types

Generated command:

Try combining the commands.

Description:

`semanage` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

Demonstrates various scenarios for managing SELinux policies using the semanage command.

List All File Context Rules

sudo semanage fcontext -l

Checks all file context mapping rules currently defined on the system.

List Specific Port Rules

sudo semanage port -l | grep http

Lists port rules used by the HTTP service.

Add Custom File Context

sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html/my_app(/.*)?"

Adds a rule to assign the httpd_sys_content_t type to the /var/www/html/my_app directory and its sub-files. (Requires restorecon after adding)

Add Custom Port

sudo semanage port -a -t http_port_t -p tcp 8080

Adds TCP port 8080 with the http_port_t type, making it available for web services.

Enable SELinux Boolean

sudo semanage boolean -m --on httpd_can_network_connect

Enables the httpd_can_network_connect boolean, allowing the Apache web server to initiate network connections.

Installation

semanage is typically provided as part of the 'policycoreutils' or a similar package on most Linux distributions that use SELinux. Here's how to install it on major distributions.

RHEL/CentOS/Fedora

sudo dnf install policycoreutils-python-utils

Install the 'policycoreutils-python-utils' package using DNF or YUM package manager.

Debian/Ubuntu

sudo apt install selinux-utils

Install the 'selinux-utils' package using the APT package manager.

Tips & Precautions

Useful tips and precautions when managing SELinux policies with semanage.

Applying Changes

After changing file context rules, you must use the 'restorecon' command to apply the modified contexts to the file system.

  • `sudo restorecon -Rv /path/to/directory`

Troubleshooting and Policy Generation

If SELinux-related issues occur, check the `/var/log/audit/audit.log` file to identify denied operations. You can then use the `audit2allow` tool to generate necessary policy rules.

  • `sudo tail -f /var/log/audit/audit.log` (View real-time logs)
  • `sudo audit2allow -a -M mypolicy` (Generate 'mypolicy.te' and 'mypolicy.pp' files based on policy violation logs)
  • `sudo semodule -i mypolicy.pp` (Load the generated policy module)

Precautions

Incorrectly modifying SELinux policies can block access to specific services or the entire system. It is crucial to back up your current policy or test changes carefully before applying them.

Same category commands

acl

ACL: Access Control List Management

anacron

anacron: Run periodic commands when the system is not running

ansible

ansible: Remote Server Management and Automation

apropos

apropos: Search Manual Pages

apt

APT (Advanced Package Tool) Command Guide