8904ffe4de
The man page shows --role as an option, but the real option is --roles. Fix the man page. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
237 lines
7.2 KiB
Groff
237 lines
7.2 KiB
Groff
.TH "semanage" "8" "20100223" "" ""
|
|
.SH "NAME"
|
|
semanage \- SELinux Policy Management tool
|
|
|
|
.SH "SYNOPSIS"
|
|
Output local customizations
|
|
.br
|
|
.B semanage [ -S store ] -o [ output_file | - ]
|
|
|
|
Input local customizations
|
|
.br
|
|
.B semanage [ -S store ] -i [ input_file | - ]
|
|
|
|
Manage booleans. Booleans allow the administrator to modify the confinement of
|
|
processes based on his configuration.
|
|
.br
|
|
.B semanage boolean [\-S store] \-{d|m|l|D} [\-nN] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file
|
|
|
|
Manage SELinux confined users (Roles and levels for an SELinux user)
|
|
.br
|
|
.B semanage user [\-S store] \-{a|d|m|l|D} [\-LnNPrR] selinux_name
|
|
|
|
Manage login mappings between linux users and SELinux confined users.
|
|
.br
|
|
.B semanage login [\-S store] \-{a|d|m|l|D} [\-nNrs] login_name | %groupname
|
|
|
|
Manage policy modules.
|
|
.br
|
|
.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] [\-N] module_name
|
|
|
|
Manage network port type definitions
|
|
.br
|
|
.B semanage port [\-S store] \-{a|d|m|l|D} [\-nNrt] [\-p proto] port | port_range
|
|
.br
|
|
|
|
Manage network interface type definitions
|
|
.br
|
|
.B semanage interface [\-S store] \-{a|d|m|l|D} [\-nNrt] interface_spec
|
|
|
|
Manage network node type definitions
|
|
.br
|
|
.B semanage node [\-S store] -{a|d|m|l|D} [-nNrt] [ -p protocol ] [-M netmask] address
|
|
.br
|
|
|
|
Manage file context mapping definitions
|
|
.br
|
|
.B semanage fcontext [\-S store] \-{l} [\-Cn]
|
|
.br
|
|
.B semanage fcontext [\-S store] \-D [\-N]
|
|
.br
|
|
.B semanage fcontext [\-S store] \-{a|d|m} [\-Nfrst] file_spec
|
|
.br
|
|
.B semanage fcontext [\-S store] \-{a|d|m} \-e replacement target
|
|
.br
|
|
|
|
Manage processes type enforcement mode
|
|
.br
|
|
.B semanage permissive [\-S store] \-{a|d|l|D} [\-nN] type
|
|
.br
|
|
|
|
Disable/Enable dontaudit rules in policy
|
|
.br
|
|
.B semanage dontaudit [\-N] [\-S store] [ on | off ]
|
|
.P
|
|
|
|
Execute multiple commands within a single transaction.
|
|
.br
|
|
.B semanage [\-S store] [\-N] \-i command-file
|
|
.br
|
|
|
|
.SH "DESCRIPTION"
|
|
semanage is used to configure certain elements of
|
|
SELinux policy without requiring modification to or recompilation
|
|
from policy sources. This includes the mapping from Linux usernames
|
|
to SELinux user identities (which controls the initial security context
|
|
assigned to Linux users when they login and bounds their authorized role set)
|
|
as well as security context mappings for various kinds of objects, such
|
|
as network ports, interfaces, and nodes (hosts) as well as the file
|
|
context mapping. See the EXAMPLES section below for some examples
|
|
of common usage. Note that the semanage login command deals with the
|
|
mapping from Linux usernames (logins) to SELinux user identities,
|
|
while the semanage user command deals with the mapping from SELinux
|
|
user identities to authorized role sets. In most cases, only the
|
|
former mapping needs to be adjusted by the administrator; the latter
|
|
is principally defined by the base policy and usually does not require
|
|
modification.
|
|
|
|
.SH "OPTIONS"
|
|
.TP
|
|
.I \-a, \-\-add
|
|
Add a OBJECT record NAME
|
|
.TP
|
|
.I \-d, \-\-delete
|
|
Delete a OBJECT record NAME
|
|
.TP
|
|
.I \-D, \-\-deleteall
|
|
Remove all OBJECTS local customizations
|
|
.TP
|
|
.I \-\-disable
|
|
Disable a policy module, requires -m option
|
|
|
|
Currently modules only.
|
|
.TP
|
|
.I \-\-enable
|
|
Enable a disabled policy module, requires -m option
|
|
|
|
Currently modules only.
|
|
.TP
|
|
.I \-e, \-\-equal
|
|
Substitute target path with sourcepath when generating default label. This is used with
|
|
fcontext. Requires source and target path arguments. The context
|
|
labeling for the target subtree is made equivalent to that
|
|
defined for the source.
|
|
.TP
|
|
.I \-f, \-\-ftype
|
|
File Type. This is used with fcontext.
|
|
Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
|
|
.TP
|
|
.I \-F, \-\-file
|
|
Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format.
|
|
|
|
Currently booleans only.
|
|
|
|
.TP
|
|
.I \-h, \-\-help
|
|
display this message
|
|
.TP
|
|
.I \-l, \-\-list
|
|
List the OBJECTS
|
|
.TP
|
|
.I \-C, \-\-locallist
|
|
List only locally defined settings, not base policy settings.
|
|
.TP
|
|
.I \-L, \-\-level
|
|
Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)
|
|
.TP
|
|
.I \-m, \-\-modify
|
|
Modify a OBJECT record NAME
|
|
.TP
|
|
.I \-M, \-\-mask
|
|
Network Mask
|
|
.TP
|
|
.I \-n, \-\-noheading
|
|
Do not print heading when listing OBJECTS.
|
|
.TP
|
|
.B \-N,\-\-noreload
|
|
do not reload policy after commit
|
|
.TP
|
|
.I \-p, \-\-proto
|
|
Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
|
|
.TP
|
|
.I \-r, \-\-range
|
|
MLS/MCS Security Range (MLS/MCS Systems only)
|
|
SELinux Range for SELinux login mapping defaults to the SELinux user record range.
|
|
SELinux Range for SELinux user defaults to s0.
|
|
.TP
|
|
.I \-R, \-\-roles
|
|
SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
|
|
.TP
|
|
.I \-P, \-\-prefix
|
|
SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.
|
|
.TP
|
|
.I \-s, \-\-seuser
|
|
SELinux user name
|
|
.TP
|
|
.I \-S, \-\-store
|
|
Select and alternate SELinux store to manage
|
|
.TP
|
|
.I \-t, \-\-type
|
|
SELinux Type for the object
|
|
.TP
|
|
.I \-i, \-\-input
|
|
Take a set of commands from a specified file and load them in a single
|
|
transaction.
|
|
.TP
|
|
.I \-o, \-\-output
|
|
Output all local customizations into a file. This file than can be used with the semanage -i command to customize other machines to match the local machine.
|
|
|
|
.SH EXAMPLE
|
|
.nf
|
|
.B SELinux user
|
|
List SELinux users
|
|
# semanage user -l
|
|
|
|
.B SELinux login
|
|
Change joe to login as staff_u
|
|
# semanage login -a -s staff_u joe
|
|
Change the group clerks to login as user_u
|
|
# semanage login -a -s user_u %clerks
|
|
|
|
.B File contexts
|
|
.i remember to run restorecon after you set the file context
|
|
Add file-context for everything under /web
|
|
# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
|
|
# restorecon -R -v /web
|
|
|
|
Substitute /home1 with /home when setting file context
|
|
# semanage fcontext -a -e /home /home1
|
|
# restorecon -R -v /home1
|
|
|
|
For home directories under top level directory, for example /disk6/home,
|
|
execute the following commands.
|
|
# semanage fcontext -a -t home_root_t "/disk6"
|
|
# semanage fcontext -a -e /home /disk6/home
|
|
# restorecon -R -v /disk6
|
|
|
|
.B Port contexts
|
|
Allow Apache to listen on tcp port 81
|
|
# semanage port -a -t http_port_t -p tcp 81
|
|
|
|
.B Change apache to a permissive domain
|
|
# semanage permissive -a httpd_t
|
|
|
|
.B Turn off dontaudit rules
|
|
# semanage dontaudit off
|
|
|
|
.B Managing multiple machines
|
|
Multiple machines that need the same customizations.
|
|
Extract customizations off first machine, copy them
|
|
to second and import them.
|
|
|
|
# semanage -o /tmp/local.selinux
|
|
# scp /tmp/local.selinux secondmachine:/tmp
|
|
# ssh secondmachine
|
|
# semanage -i /tmp/local.selinux
|
|
|
|
If these customizations include file context, you need to apply the
|
|
context using restorecon.
|
|
|
|
.fi
|
|
|
|
.SH "AUTHOR"
|
|
This man page was written by Daniel Walsh <dwalsh@redhat.com>
|
|
.br
|
|
and Russell Coker <rcoker@redhat.com>.
|
|
.br
|
|
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
|