Provided by: policycoreutils_2.1.0-3ubuntu1_amd64 bug


       semanage - SELinux Policy Management tool


       semanage {boolean|login|user|port|interface|node|fcontext} -{l|D} [-n] [-S store]
       semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
       semanage login -{a|d|m} [-sr] login_name | %groupname
       semanage user -{a|d|m} [-LrRP] selinux_name
       semanage port -{a|d|m} [-tr] [-p proto] port | port_range
       semanage interface -{a|d|m} [-tr] interface_spec
       semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address
       semanage fcontext -{a|d|m} [-frst] file_spec
       semanage permissive -{a|d} type
       semanage -i command-file
       semanage dontaudit [ on | off ]


       semanage  is  used  to  configure  certain  elements  of  SELinux policy without requiring
       modification to or recompilation from policy sources.   This  includes  the  mapping  from
       Linux  usernames  to  SELinux user identities (which controls the initial security context
       assigned to Linux users when they login and bounds their authorized role set) as  well  as
       security context mappings for various kinds of objects, such as network ports, interfaces,
       and nodes (hosts) as well as the file context mapping. See the EXAMPLES section below  for
       some  examples  of  common  usage.   Note  that  the semanage login command deals with the
       mapping from Linux usernames (logins) to SELinux user identities, while the semanage  user
       command  deals  with the mapping from SELinux user identities to authorized role sets.  In
       most cases, only the former mapping needs to be adjusted by the administrator; the  latter
       is principally defined by the base policy and usually does not require modification.


       -a, --add
              Add a OBJECT record NAME

       -d, --delete
              Delete a OBJECT record NAME

       -D, --deleteall
              Remove all OBJECTS local customizations

       -f, --ftype
              File Type.   This is used with fcontext.  Requires a file type as shown in the mode
              field by ls, e.g. use -d to match only directories or  --  to  match  only  regular

       -F, --file
              Set  multiple  records  from the input file.  When used with the -l --list, it will
              output the current settings to stdout in the proper format.

              Currently booleans only.

       -h, --help
              display this message

       -l, --list
              List the OBJECTS

       -C, --locallist
              List only locally defined settings, not base policy settings.

       -L, --level
              Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only)

       -m, --modify
              Modify a OBJECT record NAME

       -n, --noheading
              Do not print heading when listing OBJECTS.

       -p, --proto
              Protocol for the specified port (tcp|udp) or  internet  protocol  version  for  the
              specified node (ipv4|ipv6).

       -r, --range
              MLS/MCS Security Range (MLS/MCS Systems only)

       -R, --role
              SELinux  Roles.  You must enclose multiple roles within quotes, separate by spaces.
              Or specify -R multiple times.

       -P, --prefix
              SELinux Prefix.  Prefix added to home_dir_t and  home_t  for  labeling  users  home

       -s, --seuser
              SELinux user name

       -S, --store
              Select and alternate SELinux store to manage

       -t, --type
              SELinux Type for the object

       -i     Take a set of commands from a specified file and load them in a single transaction.


       # View SELinux user mappings
       $ semanage user -l
       # Allow joe to login as staff_u
       $ semanage login -a -s staff_u joe
       # Allow the group clerks to login as user_u
       $ semanage login -a -s user_u %clerks
       # Add file-context for everything under /web (used by restorecon)
       $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
       # Allow Apache to listen on port 81
       $ semanage port -a -t http_port_t -p tcp 81
       # Change apache to a permissive domain
       $ semanage permissive -a httpd_t
       # Turn off dontaudit rules
       $ semanage dontaudit off


       This  man  page  was  written  by  Daniel  Walsh  <>  and  Russell  Coker
       <>.  Examples by Thomas Bleher <>.

                                            2005111103                                semanage(8)