All further code assumes that a connection object has been created and the default namespace (root/cimv2) is used. Also, the LMI_SELinuxService instance must have been acquired.

c = connect("https://myhost", "user", "secret")
service = c.root.cimv2.LMI_SELinuxService.first_instance()
system = c.root.cimv2.PG_ComputerSystem.first_instance()

As a convenience helper function for further use, lmi_unixfile_instance_name is defined. It provides an easy way to get file references for methods that require an LMI_UnixFile reference as a parameter.

def lmi_unixfile_instance_name(path):
    props = {"CSName",
    return c.root.cimv2.LMI_UnixFile.new_instance_name(props)

SELinux state

General information about SELinux is available via the service instance:

def state_to_str(state):
    if state == 0: return "Disabled"
    elif state == 1: return "Permissive"
    elif state == 2: return "Enabled"
    else: return "Unknown"

print "Policy version:   %s" % service.PolicyVersion
print "Policy type:      %s" % service.PolicyType
print "Current state:    %s" % state_to_str(service.SELinuxState)
print "Persistent state: %s" % state_to_str(service.SELinuxDefaultState)

Set service state, for example, set the default (persistent) state to Enforcing:

# 2 == Enforcing


List all booleans and print their current and default values:

booleans = c.root.cimv2.LMI_SELinuxBoolean.instances()
for boolean in booleans:
    print "%-50s (%s, %s)" % (boolean.ElementName, boolean.State, boolean.DefaultState)

To enable the httpd_use_sasl boolean in the current runtime, but not permanently:

target = c.root.cimv2.LMI_SELinuxBoolean.new_instance_name({"InstanceID":"LMI:LMI_SELinuxBoolean:httpd_use_sasl"})
res = service.SetBoolean({"Target":target,


List all ports:

ports = c.root.cimv2.LMI_SELinuxPort.instances()
for port in sorted(ports):
    print "%-30s %-10s %s" % (port.ElementName,
                              "tcp" if port.Protocol else "udp",
                              ", ".join(port.Ports))

Label the TCP port 8080 with http_port_t:

target = c.root.cimv2.LMI_SELinuxPort.new_instance_name({"InstanceID":"LMI:LMI_SELinuxPort:TCP:http_port_t"})

It is also possible to specify PortRange as an actual range, for example “8080-8090”.

File labels

To see what SELinux context a file holds, the LogicalFile provider is used:

target = lmi_unixfile_instance_name("/tmp/file")
file = target.to_instance()
print file.SELinuxCurrentContext
print file.SELinuxExpectedContext

Set a file context:

target = lmi_unixfile_instance_name("/root")

Restore SELinux contexts of all the files in /etc/ recursively:

# 1 == Restore
target = lmi_unixfile_instance_name("/etc/")