semanage Command Generator
Generate semanage commands to manage SELinux policy mappings (fcontext, login, user, port, boolean)
Getting Started with semanage
## What is semanage?
`semanage` manages SELinux policy mappings — the labels that tell the kernel what a process, file, port, or login user is *allowed* to do. It does not toggle the enforcing/permissive mode itself (that is `setenforce`); instead it configures the persistent mappings that the SELinux policy uses.
## How to Use
1. **Pick an object**: `fcontext` (file labels), `login` (Linux-user → SELinux-user mapping), `user`, `port`, or `boolean`. 2. **Pick an action**: `add` (`-a`), `modify` (`-m`), `delete` (`-d`), or `list` (`-l`). 3. **Set the SELinux type** (`-t`) and the **value** (path regex, port, user, etc.). 4. **Apply the file context**: For `fcontext` changes, run `restorecon` afterward so existing files are relabeled. 5. **Copy & Run**: Prefix with `sudo`.
Objects, Actions & Options
### `fcontext` File-context mappings Bind a path regex to an SELinux type. After adding or modifying, run `restorecon -Rv /path` to relabel existing files: `semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?'`.
### `login` Linux-user → SELinux-user mapping Map a Linux login (or `__default__`) to an SELinux user, e.g. `semanage login -a -s user_u john`.
### `user` SELinux users Create or modify SELinux users and the roles they can take on.
### `port` Port → type mappings Label a network port so a confined service may bind to it: `semanage port -a -t http_port_t -p tcp 8080`.
### `boolean` Policy booleans Toggle a named boolean on or off to flip a policy behavior (`semanage boolean -m --on httpd_can_network_connect`).
### Actions `-a` / `-m` / `-d` / `-l` Add a new mapping, modify an existing one, delete one, or list current mappings.
▶What is an SELinux context and why does it matter?
▶I added a fcontext rule but httpd still can't read the files — why?
▶How do I allow a service to listen on a non-standard port?
If this tool has been helpful to you, consider buying me a coffee.
Buy me a coffee