semanage.conf(5)         Linux System Administration        semanage.conf(5)

NAME         top

       semanage.conf  - global configuration file for the SELinux Management

DESCRIPTION         top

       The semanage.conf file is usually located under the directory
       /etc/selinux and it is used for run-time configuration of the
       behavior of the SELinux Management library.

       Each line should contain a configuration parameter followed by the
       equal sign ("=") and then followed by the configuration value for
       that parameter. Anything after the "#" symbol is ignored similarly to
       empty lines.

       The following parameters are allowed:

                     Specify how the SELinux Management library should
                     interact with the SELinux policy store. When set to
                     "direct", the SELinux Management library writes to the
                     SELinux policy module store directly (this is the
                     default setting).  Otherwise a socket path or a server
                     name can be used for the argument.  If the argument
                     begins with "/" (as in "/foo/bar"), it represents the
                     path to a named socket that should be used to connect
                     the policy management server.  If the argument does not
                     begin with a "/" (as in ""), it should be
                     interpreted as the name of a remote policy management
                     server to be used through a TCP connection (default
                     port is 4242 unless a different one is specified after
                     the server name using the colon to separate the two

              root   Specify an alternative root path to use for the store.
                     The default is "/"

                     Specify an alternative store_root path to use. The
                     default is "/var/lib/selinux"

                     Specify an alternative directory that contains HLL to
                     CIL compilers. The default value is

                     Whether or not to ignore the cache of CIL modules
                     compiled from HLL. It can be set to either "true" or
                     "false" and is set to "false" by default.  If the cache
                     is ignored, then all CIL modules are recompiled from
                     their HLL modules.

                     When generating the policy, by default semanage will
                     set the policy version to POLICYDB_VERSION_MAX, as
                     defined in <sepol/policydb/policydb.h>. Change this
                     setting if a different version needs to be set for the

                     The target platform to generate policies for. Valid
                     values are "selinux" and "xen", and is set to "selinux"
                     by default.

                     Whether or not to check "neverallow" rules when
                     executing all semanage command. It can be set to either
                     "0" (disabled) or "1" (enabled) and by default it is
                     enabled. There might be a large penalty in execution
                     time if this option is enabled.

                     By default the permission mode for the run-time policy
                     files is set to 0644.

                     It controls whether the previous module directory is
                     saved after a successful commit to the policy store and
                     it can be set to either "true" or "false". By default
                     it is set to "false" (the previous version is deleted).

                     It controls whether the previously linked module is
                     saved (with name "base.linked") after a successful
                     commit to the policy store.  It can be set to either
                     "true" or "false" and by default it is set to "false"
                     (the previous module is deleted).

                     List, separated by ";",  of directories to ignore when
                     setting up users homedirs.  Some distributions use this
                     to stop labeling /root as a homedir.

                     Whether or not to enable the use getpwent() to obtain a
                     list of home directories to label. It can be set to
                     either "true" or "false".  By default it is set to

                     It controls whether or not the genhomedircon function
                     is executed when using the semanage command and it can
                     be set to either "false" or "true". By default the
                     genhomedircon functionality is enabled (equivalent to
                     this option set to "false").

                     This option controls the kernel behavior for handling
                     permissions defined in the kernel but missing from the
                     actual policy.  It can be set to "deny", "reject" or

                     It should be in the range 0-9. A value of 0 means no
                     compression. By default the bzip block size is set to 9
                     (actual block size value is obtained after
                     multiplication by 100000).

                     When set to "true", the bzip algorithm shall try to
                     reduce its system memory usage. It can be set to either
                     "true" or "false" and by default it is set to "false".

                     When set to "true", HLL files will be removed after
                     compilation into CIL. In order to delete HLL files
                     already compiled into CIL, modules will need to be
                     recompiled with the ignore-module-cache option set to
                     'true' or using the ignore-module-cache option with
                     semodule. The remove-hll option can be set to either
                     "true" or "false" and by default it is set to "false".

                     Please note that since this option deletes all HLL
                     files, an updated HLL compiler will not be able to
                     recompile the original HLL file into CIL.  In order to
                     compile the original HLL file into CIL, the same HLL
                     file will need to be reinstalled.

SEE ALSO         top


AUTHOR         top

       This manual page was written by Guido Trentalancia

       The SELinux management library was written by Tresys Technology LLC
       and Red Hat Inc.

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see 
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository 
       ⟨⟩ on 2017-03-13.  If you
       discover any rendering problems in this HTML version of the page, or
       you believe there is a better or more up-to-date source for the page,
       or you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a mail

semanage.conf                  September 2011               semanage.conf(5)