[Want to try out Red Hat Enterprise Linux? Download it now for free.]
There are many excellent man pages for the confined domains included with SELinux policy. These man pages describe booleans and context types for each domain. They also include sample semanage
commands for adding context mappings, changing booleans, and more.
Unfortunately for the sysadmin getting started with SELinux configuration, these man pages are often not installed by default. The SELinux policy man pages are available from two locations. The upstream Reference Policy repo has a handful of pre-built man pages. The rest can be generated from the policy content with a tool found in the policycoreutils-devel
package.
Install from a distribution package
Some distributions pre-generate the man pages and package them to make the documentation easy to add to your system. Fedora, CentOS, and Red Hat Enterprise Linux 8 all include an selinux-policy-doc.noarch
package in their base repositories. This package is not installed by default, but is easy to add with a yum
or dnf
command:
$ sudo yum install selinux-policy-doc.noarch
Red Hat Enterprise Linux 7 has this package as well, but it is in the "Optional" repo which is not enabled by default. Either enable the repo permanently with subscription-manager
:
$ sudo subscription-manager repo --enable=rhel-7-server-optional-rpms
or just add the repo temporarily during the installation:
$ sudo yum --enablerepo=rhel-7-server-optional-rpms install selinux-policy-doc.noarch
Now that the SELinux domain documentation is available, search for the relevant pages with:
$ man -k _selinux
Note: After installing the docs package you may also need to update the man page index cache before seeing the results from search:
$ sudo mandb
Generate man pages from the policy
If the docs package is not available, or if you only want to generate a man page for a specific domain, you can also build the man pages from the policy. First, install the devel
packages and their dependencies:
$ sudo yum install policycoreutils-devel
Then, use the sepolicy
command to generate a specific man page by specifying the domain type (the SELinux context type associated with the running process that is being contained). For example:
$ sepolicy manpage -d httpd_t
The resulting man page will be generated in the /tmp
directory and can be viewed by name:
$ man /tmp/httpd_selinux.8
There are options for the sepolicy manpage
command to override the output location (--path
), generate an html version (--web
), or generate all (--all
) pages. To see these and other options, use:
$ man sepolicy-manpage
As long as a user has write privileges to the output path, they can generate and view a man page.
Preview the magic of these man pages
The SELinux man pages for domain types all have a common layout. As with any set of man pages, the more man pages you read, the easier it is to scan or speed read the next one.
Each man page starts with the expected NAME and DESCRIPTION fields of any man page. The SELinux domain man pages then include the sections ENTRYPOINTS and PROCESS TYPES. (Entrypoints are the types assigned to the executable files, which when launched as daemons transition to the confined process types.)
Not all process types are daemons though, some may be interactive executables. For example, sshd_exec_t
is an entrypoint which transitions to the sshd_t
process type. In addition, sshd_t
, ssh_t
, and ssh_keygen_t
and are also examples of process types.
Process types are also known as domain types and are the types that can be placed into permissive mode with the semanage
command.
After any entrypoint and process type sections, the SELinux domain man page has sections for any BOOLEANS, PORT TYPES, MANAGED FILES, and FILE CONTEXTS that apply to that domain. These sections define keywords and provide samples for modifications that can be made with the semanage
command. Enabling a boolean allows a different rule set for different use cases. File and port context modifications allow a system to be configured to hold data in a non-default location or run on a non-default port.
Each man page ends with a list of COMMANDS referenced in the man page and the traditional man page AUTHOR and SEE ALSO sections.
Start exploring
With the targeted
policy, the httpd
domain page is probably the longest, since that domain has the most booleans and file types to describe. It was also one of the first domains confined in the history of the SELinux targeted
policy.
Start with a domain that is familiar to you such as sshd
, httpd
, or ntpd
. Then search for domains that are relevant to your environment. After installing the selinux-docs
package, I have over 850 man pages to explore on my system!
And remember, keep SELinux enforcing! (Here's how.)
About the author
Susan Lauber is a Consultant and Technical Trainer with her own company, Lauber System Solutions, Inc. She has over 25 years of experience working with Information Systems and specializes in Open Source technologies, specifically platform and data center installation, interoperability, automation, and security.
Susan is always an open source advocate and ambassador of projects she follows. She contributes to projects mostly by way of documentation and QA processes. She has contributed to Fedora Magazine and Opensource.com and is the author of "Linux Command Line Complete Video Course" (2016, Prentice Hall).
Susan is an independent instructor for several companies and holds an alphabet of certifications in those products. She is also a Certified Information Systems Security Professional (CISSP) and a Certified Technical Trainer (CTT). She has been a Red Hat Certified Instructor since 1999 and a co-author and contributor to several Red Hat Training student guides.
Follow her on twitter @laubersm to see what she is reading. Posts include a variety of technology topics as well as some travel, animals, sports, and other randomness.
More like this
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit