An SELinux security policy defines access parameters for every process and resource on the system. It enforces rules for allowing or denying different domains and types to access each other. Using semanage, we can list, edit, add, or delete the different values in the policy, and even export and import our customizations.
Let’s learn with the help of an example. Let’s see which ports httpd_t can access with:
# semanage port -l | grep http http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
As we can see, http_port_t, used by Apache Daemon, is allowed, by default, to use the ports 80, 81, 443, 488, 8008, 9009, 8443, and 9000 via tcp. That means that if we want to run Apache on any of those ports, no changes to policy will be required.
When invoking semanage, it will output that it has some subcommands we can use, such as the following:
- import: This allows the importing of local modifications.
- export: This allows the exporting of local changes.
- login: This allows the login and SELinux user associations to be managed.
- user: This manages SELinux users with roles and levels.
- port: This manages port definitions and types.
- ibpkey: This manages InfiniBand definitions.
- ibendport: This manages end port InfiniBand definitions.
- interface: This defines network interface definitions.
- module: This manages policy modules for SELinux.
- node: This manages definitions of network nodes.
- fcontext: This manages file context definitions.
- boolean: This manages Booleans for tweaking policies.
- permissive: This manages the enforcing mode.
- dontaudit: This manages the dontaudit rules in the policy.
If you encounter the below error while running the semanage command:
semanage: command not found
you may try installing the below package as per your choice of distribution:
| OS Distribution | Command |
|---|---|
| Debian | apt-get install policycoreutils-python-utils |
| Ubuntu | apt-get install policycoreutils-python-utils |
| Kali Linux | apt-get install policycoreutils-python-utils |
| CentOS | yum install policycoreutils-python |
| Fedora | dnf install policycoreutils-python-utils |
| Raspbian | apt-get install policycoreutils-python-utils |
semanage Command Examples
1. Output local customizations:
# semanage -S store -o path/to/output_file
2. Take a set of commands from a specified file and load them in a single transaction:
# semanage -S store -i path/to/input_file
3. Manage booleans. Booleans allow the administrator to modify the confinement of processes based on the current configuration:
# semanage boolean -S store --delete|--modify|--list|--noheading|--deleteall -on|-off -F boolean|boolean_file
4. Manage policy modules:
# semanage module -S store --add|--delete|--list|--modify --enable|--disable module_name
5. Disable/Enable dontaudit rules in policy:
# semanage dontaudit -S store on|off