Security
semanage
Manage SELinux policy configurations.
Additional Notes
semanage is the SELinux policy management tool for configuring SELinux policy without modifying policy source files. It manages the persistent local policy settings, including file context mappings, port labels, login mappings, booleans, and user mappings.
Unlike chcon which changes security context temporarily, semanage makes permanent changes to the SELinux policy that persist across filesystem relabeling (restorecon). This makes it the correct tool for defining how files, ports, and other objects should be labeled on the system.
Syntax
semanage {login|user|port|interface|node|fcontext|boolean|permissive|dontaudit} [options]
Subcommands
fcontext: Manage file context mappings (defines default labels for paths).port: Manage port type mappings for network services.boolean: Manage SELinux booleans to toggle policy rules.login: Manage Linux-to-SELinux user mappings.user: Manage SELinux user identities.interface: Manage network interface context.node: Manage network node context.permissive: Manage permissive domain list.dontaudit: Toggle dontaudit rules.module: Manage SELinux policy modules.
Parameters
options: Flags that change howsemanagebehaves.target: Optional file, device, interface, user, service, or command target when the command supports one.
Common Options
-l,--list: List the current configuration for the given subcommand.-a,--add: Add a new mapping or entry.-d,--delete: Delete a mapping or entry.-m,--modify: Modify an existing entry.-t type: Specify the SELinux type for the mapping.-p proto: Specify protocol (tcp or udp) for port operations.-f ftype: Specify file type for fcontext (afor all,ffor regular,dfor directory, etc.).
Examples
semanage fcontext -l
List all file context mappings.
semanage fcontext -a -t httpd_sys_content_t "/var/www(/.*)?"
Add a file context mapping for /var/www so restorecon labels it correctly.
semanage port -l
List all port type mappings.
semanage port -a -t http_port_t -p tcp 8080
Map TCP port 8080 to the http_port_t type.
semanage boolean -l
List all booleans with their current and default values.
semanage boolean -m --on httpd_can_network_connect
Enable the httpd_can_network_connect boolean persistently.
Practical Notes
- Changes made with
semanagepersist across reboots and relabeling. - File context mappings use regular expressions for path matching.
- After adding fcontext rules, run
restorecon -Rv /pathto apply the new labels. - Port labeling tells SELinux which ports services are allowed to bind to.
semanagerequires root privileges for most operations.- The
selinux-policy-develorpolicycoreutils-python-utilspackage providessemanage.