NAME

semodule - Manage SELinux policy modules.

SYNOPSIS

semodule [option]... MODE...

DESCRIPTION

semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. semodule may also be used to force a rebuild of policy from the module store and/or to force a reload of policy without performing any other transaction. semodule acts on module packages created by semodule_package. Conventionally, these files have a .pp suffix (policy package), although this is not mandated in any way.

MODES

-R, --reload: force a reload of policy
-B, --build: force a rebuild of policy (also reloads unless -n is used)
-D, --disable_dontaudit: Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
-i,--install=MODULE_PKG: install/replace a module package
-u,--upgrade=MODULE_PKG: deprecated, alias for --install
-b,--base=MODULE_PKG: deprecated, alias for --install
-r,--remove=MODULE_NAME: remove existing module at desired priority (defaults to -X 400)
-l[KIND],--list-modules[=KIND]: display list of installed modules (other than base)
KIND:
standard: list highest priority, enabled, non-base modules
full: list all modules
-X,--priority=PRIORITY: set priority for following operations (1-999)
-e,--enable=MODULE_NAME: enable module
-d,--disable=MODULE_NAME: disable module
-E,--extract=MODULE_PKG: Extract a module from the store as an HLL or CIL file to the current directory. A module is extracted as HLL by default. The name of the module written is <module-name>.<lang_ext>

OPTIONS

-s,--store: name of the store to operate on
-n,--noreload,-N: do not reload policy after commit
-h,--help: prints help message and quit
-P,--preserve_tunables: Preserve tunables in policy
-C,--ignore-module-cache: Recompile CIL modules built from HLL files
-p,--path: Use an alternate path for the policy root
-S,--store-path: Use an alternate path for the policy store root
-v,--verbose: be verbose
-c,--cil: Extract module as a CIL file. This only affects the --extract option and only modules listed in --extract after this option.
-H,--hll: Extract module as an HLL file. This only affects the --extract option and only modules listed in --extract after this option.

EXAMPLE

# Install or replace a base policy package.
$ semodule -b base.pp
# Install or replace a non-base policy package.
$ semodule -i httpd.pp
# Install or replace all non-base modules in the current directory.
# This syntax can be used with -i/u/r/E, but no other option can be entered after the module names
$ semodule -i *.pp
# Install or replace all modules in the current directory.
$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i
# List non-base modules.
$ semodule -l
# List all modules including priorities
$ semodule -lfull
# Remove a module at priority 100
$ semodule -X 100 -r wireshark
# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
$ semodule -DB
# Turn "dontaudit" rules back on.
$ semodule -B
# Disable a module (all instances of given module across priorities will be disabled).
$ semodule -d alsa
# Install a module at a specific priority.
$ semodule -X 100 -i alsa.pp
# List all modules.
$ semodule --list=full
# Set an alternate path for the policy root
$ semodule -B -p "/tmp"
# Set an alternate path for the policy store root
$ semodule -B -S "/tmp/var/lib/selinux"
# Write the HLL version of puppet and the CIL version of wireshark
# modules at priority 400 to the current working directory
$ semodule -X 400 --hll -E puppet --cil -E wireshark

AUTHORS

This manual page was written by Dan Walsh <dwalsh@redhat.com>.
The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>, Jason Tang <jtang@tresys.com>

Nov 2005

Security Enhanced Linux