When SELinux blocks something and you need to understand why, the best documentation is sitting in man pages most sysadmins never read. Every confined service on a Rocky Linux 10 box has a dedicated *_selinux(8) man page that lists its types, booleans, file contexts, port contexts, and entrypoints. Installing the policy docs and indexing them is a five-minute job that pays back every time you hit a denial in audit.log.
This guide sets up the full SELinux man page set on Rocky Linux 10, AlmaLinux 10, and RHEL 10, shows how to search them, and explains how to read the output. The same packages exist on Fedora 42 and CentOS Stream 10 under the same names.
Verified: April 2026 on Rocky Linux 10.1 with selinux-policy-doc-42.1.7-1.el10_1.2, 903 individual *_selinux(8) man pages indexed
Step 1: Install the policy doc package
The selinux-policy-doc package ships every per-service man page plus the HTML policy reference. It’s in AppStream on Rocky, Alma, and RHEL, so no extra repository is needed:
sudo dnf install -y selinux-policy-doc setools-console policycoreutils-python-utilsThree packages land: selinux-policy-doc is the man page set, setools-console adds the seinfo, sesearch, and seinfoflow analyzers, and policycoreutils-python-utils gives you the semanage, audit2allow, and audit2why commands. You want all three because they complement each other. After the install rebuild the man database index so apropos and whatis find the new pages:
sudo mandb -qStep 2: Count what you just got
A quick sanity check on how many service-specific pages landed on disk:
ls /usr/share/man/man8/ | grep -c '_selinux\.8'On a stock Rocky 10.1 install this returns 903. That’s 903 confined services the targeted policy knows how to describe in detail, each with its own man page:
903Step 3: Search for a service
Use man -k or apropos to find everything related to a keyword. If you’re wondering what SELinux rules apply to Apache HTTPD, for example:
apropos httpd | grep selinuxYou’ll see a list of every httpd-related confined subprocess that has its own policy:
httpd_helper_selinux (8) - Security Enhanced Linux Policy for the httpd_helper processes
httpd_passwd_selinux (8) - Security Enhanced Linux Policy for the httpd_passwd processes
httpd_php_selinux (8) - Security Enhanced Linux Policy for the httpd_php processes
httpd_rotatelogs_selinux (8) - Security Enhanced Linux Policy for the httpd_rotatelogs processes
httpd_selinux (8) - Security Enhanced Linux Policy for the httpd processesThe main httpd_selinux page is what you want most of the time. The sub-process pages are useful when you’re tracing a specific denial that came from a subprocess like httpd_php_t.
Step 4: Read an actual man page
Open the main httpd page to see what the structure looks like:
man httpd_selinuxThe first sections describe what the policy does and which type the process runs as:
httpd_selinux(8) SELinux Policy httpd httpd_selinux(8)
NAME
httpd_selinux - Security Enhanced Linux Policy for the httpd processes
DESCRIPTION
Security-Enhanced Linux secures the httpd processes via flexible manda-
tory access control.
The httpd processes execute with the httpd_t SELinux type. You can
check if you have these processes running by executing the ps command
with the -Z qualifier.
For example:
ps -eZ | grep httpd_t
ENTRYPOINTS
The httpd_t SELinux type can be entered via the httpd_exec_t file type.Scroll down and you’ll hit the sections you actually came for: BOOLEANS (all the toggles you can flip with setsebool), PORT TYPES (which ports the policy lets httpd bind on), MANAGED FILES (which file contexts the policy allows httpd to write to), and FILE CONTEXTS (the default paths that carry httpd_sys_content_t, httpd_sys_rw_content_t, and friends).
Step 5: Common man pages you’ll actually use
Out of the 903, the handful below cover 80% of the SELinux denials you’ll ever hit on a real server:
man httpd_selinux
man sshd_selinux
man postgresql_selinux
man mysqld_selinux
man container_selinux
man postfix_selinuxOpen each of these once, look at the BOOLEANS section, and note the toggles that exist for that service. Knowing that httpd_can_network_connect and httpd_can_sendmail are one-liner fixes prevents a lot of “just disable SELinux” suggestions from ever making sense.
Step 6: Bonus, the HTML policy reference
The same package drops a complete HTML reference under /usr/share/doc/selinux-policy/html/. It’s organized by module name and is easier to skim than man pages when you’re hunting for a type across multiple services:
ls /usr/share/doc/selinux-policy/html/ | head -10Open index.html in any browser over SSH (scp it over, or run python3 -m http.server in that directory) and browse by module. Each entry links to the full type list, interfaces, and allowed transitions.
Step 7: When a man page is not enough
For the cases where the service you care about doesn’t have a dedicated man page (third-party software, custom modules), two tools bridge the gap:
sesearch --allow --source my_app_t --target unreserved_port_t
seinfo --type=my_app_tsesearch queries the loaded policy for actual allow rules, and seinfo dumps type information, booleans, and attributes. Pair them with audit2why to read raw AVC denial messages and get human-readable explanations. For a full troubleshooting walkthrough see our SELinux troubleshooting guide and our reference on changing the SSH port with SELinux in enforcing mode.
Wrap up
With the policy docs installed and the man database rebuilt, every SELinux denial on a Rocky Linux 10 or RHEL 10 box becomes a lookup instead of a guessing game. The ~20 MB of disk space the selinux-policy-doc package takes is the cheapest piece of documentation you will ever buy on a Linux server. Good neighbouring reading: our dedicated firewalld configuration guide, our Rocky Linux 10 post-install tips which keeps SELinux enforcing by default, and our systemctl reference for the service-side layer where SELinux denials usually surface first.
