Persistently map files, ports and domains to SELinux types so services work without denials. 01.07.2026 | reading time: 2 min When a service is blocked by SELinux, semanage is the tool to make persistent policy changes that bind the right labels to files, ports and domains so the denial does not return after a reboot or relabel. Map a web directory to httpd Example: create a new web directory and give it the httpd content label so Apache can serve it; run the three steps below to add the file context, apply it and verify: ```bash sudo mkdir -p /srv/www/newsite; sudo semanage fcontext -a -t httpd_sys_content_t '/srv/www/newsite(/.*)?'; sudo restorecon -Rv /srv/www/newsite; sudo ls -Zd /srv/www/newsite ``` The command sequence will add the persistent mapping, relabel existing files and show the new SELinux context such as ```restorecon reset /srv/www/newsite context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0; /srv/www/newsite system_u:object_r:httpd_sys_content_t:s0```. Key commands and flags Use `semanage -a` to add, `-m` to modify, `-d` to delete and `-l` to list entries; target objects include `fcontext`, `port`, `boolean`, `login`, `user`, `interface`, `permissive` and `node`; for example to open TCP port 8080 for http run `semanage port -a -t http_port_t -p tcp 8080`; remember that `semanage` updates the store but does not relabel files automatically unless you run `restorecon` or recreate the files. Tools that finish the job `semanage` manages the persistent mappings, but you will often run `restorecon` to apply labels to files and `chcon` for one-off changes; use `semanage boolean` to toggle policy booleans, `setenforce`/`getenforce` to change or check SELinux mode, and `audit2why` to interpret AVC denials when troubleshooting. Next steps Practice creating and inspecting file contexts on a sandbox system, try adding a custom port and a permissive domain, and then build a checklist of common semanage tasks; to deepen practical knowledge pursue further Linux security study and consider exam preparation at bitsandbytes.academy for certifications such as CompTIA Linux+ or LPIC-1. Join Bits & Bytes Academy First class LINUX exam preparation. security utilities filesystem troubleshooting Dieser Artikel wurde mithilfe von KI erstellt.