semodule(8) - Manage SELinux policy modules.
-
SEMODULE(8) NSA SEMODULE(8) NAME semodule - Manage SELinux policy modules. SYNOPSIS semodule [options]... MODE [MODES]... DESCRIPTION semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. semodule may also be used to force a rebuild of policy from the module store and/or to force a reload of policy without performing any other transaction. semodule acts on module packages created by semodule_package. Conven‐ tionally, these files have a .pp suffix (policy package), although this is not mandated in any way. OPTIONS -R, --reload force a reload of policy -B, --build force a rebuild of policy (also reloads unless -n is used) -D, --disable_dontaudit Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt -i,--install=MODULE_PKG install/replace a module package -u,--upgrade=MODULE_PKG deprecated, alias for --install -b,--base=MODULE_PKG deprecated, alias for --install -r,--remove=MODULE_NAME remove existing module -l[KIND],--list-modules[=KIND] display list of installed modules (other than base) -E,--extract=MODULE_PKG Extract a module from the store as an HLL or CIL file to the current directory. A module is extracted as HLL by default. The name of the module written is <module-name>.<lang_ext> KIND: standard list highest priority, enabled, non-base modules full list all modules -X,--priority=PRIORITY set priority for following operations (1-999) -e,--enabled=MODULE_NAME enable module -d,--disable=MODULE_NAME disable module -s,--store name of the store to operate on -n,--noreload,-N do not reload policy after commit -h,--help prints help message and quit -P,--preserve_tunables Preserve tunables in policy -C,--ignore-module-cache Recompile CIL modules built from HLL files -p,--path Use an alternate path for the policy root -S,--store-path Use an alternate path for the policy store root -v,--verbose be verbose -c,--cil Extract module as a CIL file. This only affects the --extract option and only modules listed in --extract after this option. -H,--hll Extract module as an HLL file. This only affects the --extract option and only modules listed in --extract after this option. EXAMPLE # Install or replace a base policy package. $ semodule -b base.pp # Install or replace a non-base policy package. $ semodule -i httpd.pp # List non-base modules. $ semodule -l # Turn on all AVC Messages for which SELinux currently is "dontaudit"ing. $ semodule -DB # Turn "dontaudit" rules back on. $ semodule -B # Install or replace all non-base modules in the current directory. $ semodule -i *.pp # Install or replace all modules in the current directory. $ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i # Disable a module. $ semodule -d alsa # Install a module at a specific priority. $ semodule -X 100 -i alsa.pp # List all modules. $ semodule --list=full # Set an alternate path for the policy root $ semodule -B -p "/tmp" # Set an alternate path for the policy store root $ semodule -B -S "/tmp/var/lib/selinux" # Write the HLL version of puppet and the CIL version of wireshark # modules at priority 400 to the current working directory $ semodule -X 400 --hll -E puppet --cil -E wireshark SEE ALSO checkmodule(8), semodule_package(8) AUTHORS This manual page was written by Dan Walsh <[email protected]>. The program was written by Karl MacMillan <[email protected]>, Joshua Brindle <[email protected]>, Jason Tang <[email protected]> Security Enhanced Linux Nov 2005 SEMODULE(8)
© Lightnetics 2024