diff --git a/pages/linux/semanage.md b/pages/linux/semanage.md index e7c7cd267..89b3459d9 100644 --- a/pages/linux/semanage.md +++ b/pages/linux/semanage.md @@ -1,24 +1,28 @@ # semanage -> SELinux Policy Management tool. +> SELinux persistent policy management tool. > More information: . -- Output local customizations: +- Set or unset a SELinux boolean. Booleans allow the administrator to customize how policy rules affect confined process types (a.k.a domains): -`semanage -S {{store}} -o {{path/to/output_file}}` +`sudo semanage boolean {{-m|--modify}} {{-1|--on|-0|--off}} {{haproxy_connect_any}}` -- Take a set of commands from a specified file and load them in a single transaction: +- Add a user-defined file context labeling rule. File contexts define what files confined domains are allowed to access: -`semanage -S {{store}} -i {{path/to/input_file}}` +`sudo semanage fcontext {{-a|--add}} {{-t|--type}} {{samba_share_t}} '/mnt/share(/.*)?'` -- Manage booleans. Booleans allow the administrator to modify the confinement of processes based on the current configuration: +- Add a user-defined port labeling rule. Port labels define what ports confined domains are allowed to listen on: -`semanage boolean -S {{store}} {{--delete|--modify|--list|--noheading|--deleteall}} {{-on|-off}} -F {{boolean|boolean_file}}` +`sudo semanage port {{-a|--add}} {{-t|--type}} {{ssh_port_t}} {{-p|--proto}} {{tcp}} {{22000}}` -- Manage policy modules: +- Set or unset permissive mode for a confined domain. Per-domain permissive mode allows more granular control compared to `setenforce`: -`semanage module -S {{store}} {{--add|--delete|--list|--modify}} {{--enable|--disable}} {{module_name}}` +`sudo semenage permissive {{-a|--add|-d|--delete}} {{httpd_t}}` -- Disable/Enable dontaudit rules in policy: +- Output local customizations in the default store: -`semanage dontaudit -S {{store}} {{on|off}}` +`sudo semanage export {{-f|--output_file}} {{path/to/file}}` + +- Import a file generated by `semanage export` into local customizations (CAREFUL: may remove current customizations!): + +`sudo semanage import {{-f|--input_file}} {{path/to/file}}`