policycoreutils/semanage/semanage.8 - platform/external/selinux - Gitiles

 .TH "semanage" "8" "2005111103" "" ""
 .SH "NAME"
 semanage \- SELinux Policy Management tool

 .SH "SYNOPSIS"
 .B semanage {boolean|login|user|port|interface|node|fcontext} \-{l|D} [\-n] [\-S store]
 .br
 .B semanage boolean \-{d|m|D} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file
 .br
 .B semanage login \-{a|d|m|D} [\-sr] login_name | %groupname
 .br
 .B semanage user \-{a|d|m|D} [\-LrRP] selinux_name
 .br
 .B semanage port \-{a|d|m|D} [\-tr] [\-p proto] port | port_range
 .br
 .B semanage interface \-{a|d|m|D} [\-tr] interface_spec
 .br
 .B semanage node -{a|d|m|D} [-tr] [ -p protocol ] [-M netmask] address
 .br
 .B semanage fcontext \-{a|d|m|D} [\-frst] file_spec
 .br
 .B semanage permissive \-{a|d} type
 .br
 .B semanage -i command-file
 .br
 .B semanage dontaudit [ on | off ]
 .P

 .SH "DESCRIPTION"
 semanage is used to configure certain elements of
 SELinux policy without requiring modification to or recompilation
 from policy sources.  This includes the mapping from Linux usernames
 to SELinux user identities (which controls the initial security context
 assigned to Linux users when they login and bounds their authorized role set)
 as well as security context mappings for various kinds of objects, such
 as network ports, interfaces, and nodes (hosts) as well as the file
 context mapping. See the EXAMPLES section below for some examples
 of common usage.  Note that the semanage login command deals with the
 mapping from Linux usernames (logins) to SELinux user identities,
 while the semanage user command deals with the mapping from SELinux
 user identities to authorized role sets.  In most cases, only the
 former mapping needs to be adjusted by the administrator; the latter
 is principally defined by the base policy and usually does not require
 modification.

 .SH "OPTIONS"
 .TP
 .I                \-a, \-\-add
 Add a OBJECT record NAME
 .TP
 .I                \-d, \-\-delete
 Delete a OBJECT record NAME
 .TP
 .I                \-D, \-\-deleteall
 Remove all OBJECTS local customizations
 .TP
 .I                \-f, \-\-ftype
 File Type.   This is used with fcontext.
 Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
 .TP
 .I                \-F, \-\-file
 Set multiple records from the input file.  When used with the \-l \-\-list, it will output the current settings to stdout in the proper format.

 Currently booleans only.
 .TP
 .I                \-h, \-\-help
 display this message
 .TP
 .I                \-l, \-\-list
 List the OBJECTS
 .TP
 .I                \-C, \-\-locallist
 List only locally defined settings, not base policy settings.
 .TP
 .I                \-L, \-\-level
 Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only)
 .TP
 .I                \-m, \-\-modify
 Modify a OBJECT record NAME
 .TP
 .I                \-n, \-\-noheading
 Do not print heading when listing OBJECTS.
 .TP
 .I                \-p, \-\-proto
 Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
 .TP
 .I                \-r, \-\-range
 MLS/MCS Security Range (MLS/MCS Systems only)
 .TP
 .I                \-R, \-\-role
 SELinux Roles.  You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
 .TP
 .I                \-P, \-\-prefix
 SELinux Prefix.  Prefix added to home_dir_t and home_t for labeling users home directories.
 .TP
 .I                \-s, \-\-seuser
 SELinux user name
 .TP
 .I                \-S, \-\-store
 Select and alternate SELinux store to manage
 .TP
 .I                \-t, \-\-type
 SELinux Type for the object
 .TP
 .I                \-i
 Take a set of commands from a specified file and load them in a single
 transaction.

 .SH EXAMPLE
 .nf
 # View SELinux user mappings
 $ semanage user -l
 # Allow joe to login as staff_u
 $ semanage login -a -s staff_u joe
 # Allow the group clerks to login as user_u
 $ semanage login -a -s user_u %clerks
 # Add file-context for everything under /web (used by restorecon)
 $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
 # Allow Apache to listen on port 81
 $ semanage port -a -t http_port_t -p tcp 81
 # Change apache to a permissive domain
 $ semanage permissive -a httpd_t
 # Turn off dontaudit rules
 $ semanage dontaudit off
 .fi

 .SH "AUTHOR"
 This man page was written by Daniel Walsh <dwalsh@redhat.com> and
 Russell Coker <rcoker@redhat.com>.
 Examples by Thomas Bleher <ThomasBleher@gmx.de>.
	.TH "semanage" "8" "2005111103" "" ""
	.SH "NAME"
	semanage \- SELinux Policy Management tool

	.SH "SYNOPSIS"
	.B semanage {boolean\|login\|user\|port\|interface\|node\|fcontext} \-{l\|D} [\-n] [\-S store]
	.br
	.B semanage boolean \-{d\|m\|D} [\-\-on\|\-\-off\|\-1\|\-0] -F boolean \| boolean_file
	.br
	.B semanage login \-{a\|d\|m\|D} [\-sr] login_name \| %groupname
	.br
	.B semanage user \-{a\|d\|m\|D} [\-LrRP] selinux_name
	.br
	.B semanage port \-{a\|d\|m\|D} [\-tr] [\-p proto] port \| port_range
	.br
	.B semanage interface \-{a\|d\|m\|D} [\-tr] interface_spec
	.br
	.B semanage node -{a\|d\|m\|D} [-tr] [ -p protocol ] [-M netmask] address
	.br
	.B semanage fcontext \-{a\|d\|m\|D} [\-frst] file_spec
	.br
	.B semanage permissive \-{a\|d} type
	.br
	.B semanage -i command-file
	.br
	.B semanage dontaudit [ on \| off ]
	.P

	.SH "DESCRIPTION"
	semanage is used to configure certain elements of
	SELinux policy without requiring modification to or recompilation
	from policy sources. This includes the mapping from Linux usernames
	to SELinux user identities (which controls the initial security context
	assigned to Linux users when they login and bounds their authorized role set)
	as well as security context mappings for various kinds of objects, such
	as network ports, interfaces, and nodes (hosts) as well as the file
	context mapping. See the EXAMPLES section below for some examples
	of common usage. Note that the semanage login command deals with the
	mapping from Linux usernames (logins) to SELinux user identities,
	while the semanage user command deals with the mapping from SELinux
	user identities to authorized role sets. In most cases, only the
	former mapping needs to be adjusted by the administrator; the latter
	is principally defined by the base policy and usually does not require
	modification.

	.SH "OPTIONS"
	.TP
	.I \-a, \-\-add
	Add a OBJECT record NAME
	.TP
	.I \-d, \-\-delete
	Delete a OBJECT record NAME
	.TP
	.I \-D, \-\-deleteall
	Remove all OBJECTS local customizations
	.TP
	.I \-f, \-\-ftype
	File Type. This is used with fcontext.
	Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
	.TP
	.I \-F, \-\-file
	Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format.

	Currently booleans only.
	.TP
	.I \-h, \-\-help
	display this message
	.TP
	.I \-l, \-\-list
	List the OBJECTS
	.TP
	.I \-C, \-\-locallist
	List only locally defined settings, not base policy settings.
	.TP
	.I \-L, \-\-level
	Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only)
	.TP
	.I \-m, \-\-modify
	Modify a OBJECT record NAME
	.TP
	.I \-n, \-\-noheading
	Do not print heading when listing OBJECTS.
	.TP
	.I \-p, \-\-proto
	Protocol for the specified port (tcp\|udp) or internet protocol version for the specified node (ipv4\|ipv6).
	.TP
	.I \-r, \-\-range
	MLS/MCS Security Range (MLS/MCS Systems only)
	.TP
	.I \-R, \-\-role
	SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
	.TP
	.I \-P, \-\-prefix
	SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.
	.TP
	.I \-s, \-\-seuser
	SELinux user name
	.TP
	.I \-S, \-\-store
	Select and alternate SELinux store to manage
	.TP
	.I \-t, \-\-type
	SELinux Type for the object
	.TP
	.I \-i
	Take a set of commands from a specified file and load them in a single
	transaction.

	.SH EXAMPLE
	.nf
	# View SELinux user mappings
	$ semanage user -l
	# Allow joe to login as staff_u
	$ semanage login -a -s staff_u joe
	# Allow the group clerks to login as user_u
	$ semanage login -a -s user_u %clerks
	# Add file-context for everything under /web (used by restorecon)
	$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
	# Allow Apache to listen on port 81
	$ semanage port -a -t http_port_t -p tcp 81
	# Change apache to a permissive domain
	$ semanage permissive -a httpd_t
	# Turn off dontaudit rules
	$ semanage dontaudit off
	.fi

	.SH "AUTHOR"
	This man page was written by Daniel Walsh <dwalsh@redhat.com> and
	Russell Coker <rcoker@redhat.com>.
	Examples by Thomas Bleher <ThomasBleher@gmx.de>.