Examples
--------
#### Quick command list
ls -laZd /webcontent/
semanage fcontext -l | grep httpd_sys_content_t
semanage fcontext -a -t httpd_sys_content_t '/webcontent(/.*)?'
semanage fcontext -d -t httpd_sys_content_t '/webcontent(/.*)?'
restorecon -vvFR /webcontent/
chcon -t httpd_sys_content_t /webcontent/

semanage port -a -t http_port_t -p tcp 8001
semanage port -l | grep http

semanage boolean -l | egrep "(^SELinux|http.*cgi)"
getsebool httpd_enable_cgi
setsebool -P httpd_enable_cgi=off
setsebool httpd_enable_cgi=off


#### List all ports related to http in default policy
[root@localhost ~]# semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

#### Add a label to a port unsuccessfully and successfully
# Port is already under a different label
[root@localhost ~]# semanage port -a -t http_port_t -p tcp 8000
ValueError: Port tcp/8000 already defined
[root@localhost ~]# semanage port -l | grep 8000
soundd_port_t                  tcp      8000, 9433, 16001

# Let's try 8001
[root@localhost ~]# semanage port -a -t http_port_t -p tcp 8001

# Success, httpd can now listen on port 8001
[root@localhost ~]# semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      8001, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989


#### List all locations with http_sys_content_t label in default policy
# The default policy allows httpd to serve content from any of these locations
# Note that some of the entries have regular expressions in them
[root@localhost ~]# semanage fcontext -l | grep httpd_sys_content_t
/etc/htdig(/.*)?                                   all files          system_u:object_r:httpd_sys_content_t:s0
/srv/([^/]*/)?www(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/srv/gallery2(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/doc/ghc/html(/.*)?                      all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/drupal.*                                all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/glpi(/.*)?                              all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/htdig(/.*)?                             all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/icecast(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/ntop/html(/.*)?                         all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/openca/htdocs(/.*)?                     all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/selinux-policy[^/]*/html(/.*)?          all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/z-push(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/cacti/rra(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/htdig(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/trac(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0
/var/www/icons(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0
/var/www/svn/conf(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0

#### Add a new location from where httpd can serve content
# Write new entry into default policy
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t '/webcontent(/.*)?'
[root@localhost ~]# semanage fcontext -l | grep httpd_sys_content_t
/etc/htdig(/.*)?                                   all files          system_u:object_r:httpd_sys_content_t:s0
/srv/([^/]*/)?www(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/srv/gallery2(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/doc/ghc/html(/.*)?                      all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/drupal.*                                all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/glpi(/.*)?                              all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/htdig(/.*)?                             all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/icecast(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/ntop/html(/.*)?                         all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/openca/htdocs(/.*)?                     all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/selinux-policy[^/]*/html(/.*)?          all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/z-push(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/cacti/rra(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/htdig(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/trac(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0
/var/www/icons(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0
/var/www/svn/conf(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/webcontent(/.*)?                                  all files          system_u:object_r:httpd_sys_content_t:s0

# The directory doesn't outomaticlaly get the label when it is created
[root@localhost ~]# mkdir /webcontent
[root@localhost ~]# ls -laZd /webcontent/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /webcontent/

# Apply the default policy to /webcontent to apply the label
[root@localhost ~]# restorecon -vvFR /webcontent/
restorecon reset /webcontent context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
[root@localhost ~]# ls -laZd /webcontent/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /webcontent/

#### Removing rules from the policy
# Delete the default policy for /webcontent
[root@localhost ~]# semanage fcontext -d -t httpd_sys_content_t '/webcontent(/.*)?'
[root@localhost ~]# semanage fcontext -l | grep httpd_sys_content_t
/etc/htdig(/.*)?                                   all files          system_u:object_r:httpd_sys_content_t:s0
/srv/([^/]*/)?www(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/srv/gallery2(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/doc/ghc/html(/.*)?                      all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/drupal.*                                all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/glpi(/.*)?                              all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/htdig(/.*)?                             all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/icecast(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/ntop/html(/.*)?                         all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/openca/htdocs(/.*)?                     all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/selinux-policy[^/]*/html(/.*)?          all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/z-push(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/cacti/rra(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/htdig(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/trac(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0
/var/www/icons(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0
/var/www/svn/conf(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0

# Rule is gone from policy, but /webcontent still has its label until policy is applied
[root@localhost ~]# ls -laZd /webcontent/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /webcontent/
[root@localhost ~]# restorecon -vvFR /webcontent/
restorecon reset /webcontent context system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
[root@localhost ~]# ls -laZd /webcontent/
drwxr-xr-x. root root system_u:object_r:default_t:s0   /webcontent/

#### Changing current label with chcon
[root@localhost ~]# ls -laZd /webcontent/
drwxr-xr-x. root root system_u:object_r:default_t:s0   /webcontent/

# Manually give label to /webcontent
[root@localhost ~]# chcon -t httpd_sys_content_t /webcontent/
[root@localhost ~]# ls -laZd /webcontent/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /webcontent/

# chcon didn't change the default policy
[root@localhost ~]# semanage fcontext -l | grep httpd_sys_content_t
/etc/htdig(/.*)?                                   all files          system_u:object_r:httpd_sys_content_t:s0
/srv/([^/]*/)?www(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/srv/gallery2(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/doc/ghc/html(/.*)?                      all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/drupal.*                                all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/glpi(/.*)?                              all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/htdig(/.*)?                             all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/icecast(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/ntop/html(/.*)?                         all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/openca/htdocs(/.*)?                     all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/selinux-policy[^/]*/html(/.*)?          all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/z-push(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/cacti/rra(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/htdig(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/trac(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0
/var/www/icons(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0
/var/www/svn/conf(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0

# Re-applying the default policy, removes the label
[root@localhost ~]# restorecon -vvFR /webcontent/
restorecon reset /webcontent context system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
[root@localhost ~]# ls -laZd /webcontent/
drwxr-xr-x. root root system_u:object_r:default_t:s0   /webcontent/


#### Working with booleans, current vs. default values
# There is a boolean that allows CGI, on top of configuration settings for httpd
# Default policy and current value are both 'on'
[root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)"
SELinux boolean                State  Default Description
httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi

# getsebool only shows one value, the current state, not default policy
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> on

# setsebool command normally only affects the current state
[root@localhost ~]# setsebool httpd_enable_cgi=off
[root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)"
SELinux boolean                State  Default Description
httpd_enable_cgi               (off  ,   on)  Allow httpd to enable cgi
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> off

# Use -P to change default state
[root@localhost ~]# setsebool -P httpd_enable_cgi=off
[root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)"
SELinux boolean                State  Default Description
httpd_enable_cgi               (off  ,  off)  Allow httpd to enable cgi
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> off

# Even if default policy is for it to be off, you can still set current state to 'on'
[root@localhost ~]# setsebool httpd_enable_cgi=on
[root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)"
SELinux boolean                State  Default Description
httpd_enable_cgi               (on   ,  off)  Allow httpd to enable cgi
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> on

# Changing the default policy will change the current state as well
[root@localhost ~]# setsebool -P httpd_enable_cgi=on
[root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)"
SELinux boolean                State  Default Description
httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi
[root@localhost ~]# setsebool -P httpd_enable_cgi=off
[root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)"
SELinux boolean                State  Default Description
httpd_enable_cgi               (off  ,  off)  Allow httpd to enable cgi
[root@localhost ~]# setsebool -P httpd_enable_cgi=on
[root@localhost ~]# semanage boolean -l | egrep "(^SELinux|http.*cgi)"
SELinux boolean                State  Default Description
httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi
