diff --git a/tldr/linux/getenforce b/tldr/linux/getenforce index a9890a7d..40a7f0a0 100644 --- a/tldr/linux/getenforce +++ b/tldr/linux/getenforce @@ -6,6 +6,7 @@ source: https://github.com/tldr-pages/tldr.git # getenforce > Get the current mode of SELinux (i.e. enforcing, permissive, or disabled). +> See also: `setenforce`, `semanage-permissive`. > More information: . - Display the current mode of SELinux: diff --git a/tldr/linux/getsebool b/tldr/linux/getsebool new file mode 100644 index 00000000..f87024b3 --- /dev/null +++ b/tldr/linux/getsebool @@ -0,0 +1,22 @@ +--- +syntax: markdown +tags: [tldr, linux] +source: https://github.com/tldr-pages/tldr.git +--- +# getsebool + +> Get SELinux boolean value. +> See also: `semanage-boolean`, `setsebool`. +> More information: . + +- Show the current setting of a boolean: + +`getsebool {{httpd_can_connect_ftp}}` + +- Show the current setting of [a]ll booleans: + +`getsebool -a` + +- Show the current setting of all booleans with explanations: + +`sudo semanage boolean {{-l|--list}}` diff --git a/tldr/linux/semanage b/tldr/linux/semanage index 92748132..a7502e92 100644 --- a/tldr/linux/semanage +++ b/tldr/linux/semanage @@ -6,6 +6,7 @@ source: https://github.com/tldr-pages/tldr.git # semanage > SELinux persistent policy management tool. +> Some subcommands such as `boolean`, `fcontext`, `port`, etc. have their own usage documentation. > More information: . - Set or unset a SELinux boolean. Booleans allow the administrator to customize how policy rules affect confined process types (a.k.a domains): diff --git a/tldr/linux/semanage-boolean b/tldr/linux/semanage-boolean new file mode 100644 index 00000000..69b4633a --- /dev/null +++ b/tldr/linux/semanage-boolean @@ -0,0 +1,22 @@ +--- +syntax: markdown +tags: [tldr, linux] +source: https://github.com/tldr-pages/tldr.git +--- +# semanage boolean + +> Manage persistent SELinux boolean settings. +> See also: `semanage` for managing SELinux policies, `getsebool` for checking boolean values, and `setsebool` for applying non-persistent boolean settings. +> More information: . + +- List all booleans settings: + +`sudo semanage boolean {{-l|--list}}` + +- List all user-defined boolean settings without headings: + +`sudo semanage boolean {{-l|--list}} {{-C|--locallist}} {{-n|--noheading}}` + +- Set or unset a boolean persistently: + +`sudo semanage boolean {{-m|--modify}} {{-1|--on|-0|--off}} {{haproxy_connect_any}}` diff --git a/tldr/linux/semanage-permissive b/tldr/linux/semanage-permissive new file mode 100644 index 00000000..27ba1487 --- /dev/null +++ b/tldr/linux/semanage-permissive @@ -0,0 +1,19 @@ +--- +syntax: markdown +tags: [tldr, linux] +source: https://github.com/tldr-pages/tldr.git +--- +# semanage permissive + +> Manage persistent SELinux permissive domains. +> Note that this effectively makes the process unconfined. For long-term use, it is recommended to configure SELiunx properly. +> See also: `semanage`, `getenforce`, `setenforce`. +> More information: . + +- List all process types (a.k.a domains) that are in permissive mode: + +`sudo semanage permissive {{-l|--list}}` + +- Set or unset permissive mode for a domain: + +`sudo semanage permissive {{-a|--add|-d|--delete}} {{httpd_t}}` diff --git a/tldr/linux/semanage-port b/tldr/linux/semanage-port new file mode 100644 index 00000000..2eef19cf --- /dev/null +++ b/tldr/linux/semanage-port @@ -0,0 +1,26 @@ +--- +syntax: markdown +tags: [tldr, linux] +source: https://github.com/tldr-pages/tldr.git +--- +# semanage port + +> Manage persistent SELinux port definitions. +> See also: `semanage`. +> More information: . + +- List all port labeling rules: + +`sudo semanage port {{-l|--list}}` + +- List all user-defined port labeling rules without headings: + +`sudo semanage port {{-l|--list}} {{-C|--locallist}} {{-n|--noheading}}` + +- Add a user-defined rule that assigns a label to a protocol-port pair: + +`sudo semanage port {{-a|--add}} {{-t|--type}} {{ssh_port_t}} {{-p|--proto}} {{tcp}} {{22000}}` + +- Delete a user-defined rule using its protocol-port pair: + +`sudo semanage port {{-d|--delete}} {{-p|--proto}} {{udp}} {{11940}}` diff --git a/tldr/linux/setenforce b/tldr/linux/setenforce new file mode 100644 index 00000000..13649f42 --- /dev/null +++ b/tldr/linux/setenforce @@ -0,0 +1,19 @@ +--- +syntax: markdown +tags: [tldr, linux] +source: https://github.com/tldr-pages/tldr.git +--- +# setenforce + +> Toggle SELinux between enforcing and permissive modes. +> To enable or disable SELinux, edit `/etc/selinux/config` instead. +> See also: `getenforce`, `semanage-permissive`. +> More information: . + +- Put SELinux in enforcing mode: + +`setenforce {{1|Enforcing}}` + +- Put SELiunx in permissive mode: + +`setenforce {{0|Permissive}}` diff --git a/tldr/linux/setsebool b/tldr/linux/setsebool new file mode 100644 index 00000000..f54bfc23 --- /dev/null +++ b/tldr/linux/setsebool @@ -0,0 +1,30 @@ +--- +syntax: markdown +tags: [tldr, linux] +source: https://github.com/tldr-pages/tldr.git +--- +# setsebool + +> Set SELinux boolean value. +> See also: `semanage-boolean`, `getsebool`. +> More information: . + +- Show the current setting of [a]ll booleans: + +`getsebool -a` + +- Set or unset a boolean temporarily (non-persistent across reboot): + +`sudo setsebool {{httpd_can_network_connect}} {{1|true|on|0|false|off}}` + +- Set or unset a boolean [p]ersistently: + +`sudo setsebool -P {{container_use_devices}} {{1|true|on|0|false|off}}` + +- Set or unset multiple booleans [p]ersistently at once: + +`sudo setsebool -P {{ftpd_use_fusefs=1 mount_anyfile=0 ...}}` + +- Set or unset a boolean persistently (alternative method using `semanage-boolean`): + +`sudo semanage boolean {{-m|--modify}} {{-1|--on|-0|--off}} {{haproxy_connect_any}}`