firewalld.lockdown-whitelist man page

firewalld.lockdown-whitelist — firewalld lockdown whitelist configuration file




The firewalld lockdown-whitelist configuration file contains the selinux contexts, commands, users and user ids that are white-listed when firewalld lockdown feature is enabled (see firewalld.conf(5) and firewall-cmd(1)).

This example configuration file shows the structure of an lockdown-whitelist file:

<?xml version="1.0" encoding="utf-8"?>
  <selinux context="selinuxcontext"/>
  <command name="commandline[*]"/>
  <user {name="username|id="userid"}/>


The config can contain these tags and attributes. Some of them are mandatory, others optional.


The mandatory whitelist start and end tag defines the lockdown-whitelist. This tag can only be used once in a lockdown-whitelist configuration file. There are no attributes for this.


Is an optional empty-element tag and can be used several times to have more than one selinux contexts entries. A selinux entry has exactly one attribute:


The context is the security (SELinux) context of a running application or service.

To get the context of a running application use ps -e --context and search for the application that should be white-listed.

Warning: If the context of an application is unconfined, then this will open access for more than the desired application.


Is an optional empty-element tag and can be used several times to have more than one command entry. A command entry has exactly one attribute:


The command string is a complete command line including path and also attributes.

If a command entry ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.

Commands for user root and others is not always the same, the used path depends on the use of the PATH environment variable.


Is an optional empty-element tag and can be used several times to white-list more than one user. A user entry has exactly one attribute of these:


The user with the name string will be white-listed.


The user with the id userid will be white-listed.

See Also

firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewallctl(1), firewalld.conf(5),, firewalld.dbus(5), firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),, firewalld.zones(5), firewalld.ipset(5), firewalld.helper(5)


firewalld home page:

More documentation with examples:


Thomas Woerner <>


Jiri Popelka <>


Referenced By

firewall-applet(1), firewall-cmd(1), firewall-config(1), firewallctl(1), firewalld(1), firewalld.conf(5), firewalld.dbus(5),, firewalld.icmptype(5), firewalld.ipset(5), firewalld.richlanguage(5), firewalld.service(5),, firewalld.zones(5), firewall-offline-cmd(1).

firewalld firewalld.lockdown-whitelist