UNIX Manual Page: man 8 semanage

semanage(8)                                                        semanage(8)
NAME
       semanage - SELinux Policy Management tool

SYNOPSIS
       semanage {login|user|port|interface|fcontext} -l [-n]
       semanage login -{a|d|m} [-sr] login_name
       semanage user -{a|d|m} [-LrRP] selinux_name
       semanage port -{a|d|m} [-tr] [-p protocol] port | port_range
       semanage interface -{a|d|m} [-tr] interface_spec
       semanage fcontext -{a|d|m} [-frst] file_spec

DESCRIPTION
       semanage  is used to configure certain elements of SELinux policy with-
       out requiring modification to or  recompilation  from  policy  sources.
       This  includes the mapping from Linux usernames to SELinux user identi-
       ties (which controls the initial security  context  assigned  to  Linux
       users  when they login and bounds their authorized role set) as well as
       security context mappings for various kinds of objects, such as network
       ports,  interfaces,  and nodes (hosts) as well as the file context map-
       ping. See the EXAMPLES section below for some examples of common usage.
       Note  that the semanage login command deals with the mapping from Linux
       usernames (logins) to SELinux user identities, while the semanage  user
       command  deals  with the mapping from SELinux user identities to autho-
       rized role sets.  In most cases, only the former mapping  needs  to  be
       adjusted by the administrator; the latter is principally defined by the
       base policy and usually does not require modification.

OPTIONS
       -a, --add
              Add a OBJECT record NAME

       -d, --delete
              Delete a OBJECT record NAME

       -f, --ftype
              File Type.   This is used with fcontext.  Requires a  file  type
              as  shown  in  the  mode  field by ls, e.g. use -d to match only
              directories or -- to match only regular files.

       -h, --help
              display this message

       -l, --list
              List the OBJECTS

       -L, --level
              Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Sys-
              tems only)

       -m, --modify
              Modify a OBJECT record NAME

       -n, --noheading
              Do not print heading when listing OBJECTS.

       -p, --proto
              Protocol for the specified port (tcp|udp).

       -r, --range
              MLS/MCS Security Range (MLS/MCS Systems only)

       -R, --role
              SELinux  Roles.   You must enclose multiple roles within quotes,
              separate by spaces. Or specify -R multiple times.

       -P, --prefix
              SELinux Prefix.  Prefix  added  to  home_dir_t  and  home_t  for
              labeling users home directories.

       -s, --seuser
              SELinux user name

       -t, --type
              SELinux Type for the object

EXAMPLE
       # View SELinux user mappings
       $ semanage user -l
       # Allow joe to login as staff_u
       $ semanage login -a -s staff_u joe
       # Add file-context for everything under /web (used by restorecon)
       $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
       # Allow Apache to listen on port 81
       $ semanage port -a -t http_port_t -p tcp 81

AUTHOR
       This  man page was written by Daniel Walsh <dwalsh@redhat.com> and Rus-
       sell Coker <rcoker@redhat.com>.  Examples by Thomas Bleher  <ThomasBle-
       her@gmx.de>.

                                  2005111103                       semanage(8)