Linux command
semanage 命令
安全
涉及管道、覆盖或删除,执行前请先确认路径和参数。
常用示例
Set
sudo semanage boolean -m --on|--off [haproxy_connect_any]
Add
sudo semanage fcontext -a -t [samba_share_t] '/mnt/share(/.*)?'
Add
sudo semanage port -a -t [ssh_port_t] -p [tcp] [22000]
Set
sudo semanage permissive --add|--delete [httpd_t]
Export
sudo semanage export -f [path/to/file]
Import
sudo semanage import -f [path/to/file]
说明
semanage is the SELinux Policy Management tool for configuring persistent security policy settings. Unlike setsebool or chcon, changes made with semanage persist across reboots. The tool manages booleans, file contexts, ports, network interfaces, and user mappings. It provides granular control over SELinux policy without requiring policy source modification.
参数
- boolean
- Manage SELinux booleans.
- fcontext
- Manage file context labeling rules.
- port
- Manage port type definitions.
- interface
- Manage network interface type definitions.
- node
- Manage network node type definitions.
- login
- Manage mappings between Linux users and SELinux confined users.
- user
- Manage SELinux user definitions and their authorized roles.
- module
- Manage SELinux policy modules.
- permissive
- Manage permissive mode for confined domains.
- dontaudit
- Toggle dontaudit rules in the policy.
- export
- Export local customizations.
- import
- Import local customizations.
- -a, --add
- Add a new record.
- -m, --modify
- Modify an existing record.
- -d, --delete
- Delete a record.
- -l, --list
- List records.
- -n, --noheading
- Suppress the heading line when listing.
- -C, --locallist
- List only local customizations (not base policy records).
- -f, --fcontext _file_
- With export/import, read from or write to this file.
FAQ
What is the semanage command used for?
semanage is the SELinux Policy Management tool for configuring persistent security policy settings. Unlike setsebool or chcon, changes made with semanage persist across reboots. The tool manages booleans, file contexts, ports, network interfaces, and user mappings. It provides granular control over SELinux policy without requiring policy source modification.
How do I run a basic semanage example?
Run `sudo semanage boolean -m --on|--off [haproxy_connect_any]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does boolean do in semanage?
Manage SELinux booleans.