semodule (8)

Manage selinux policy modules.

  1. Carta.tech
  2. Man Pages
  3. System administration commands
  4. semodule: Manage selinux policy modules.
  1. Carta.tech
  2. Packages
  3. policycoreutils
  4. semodule: Manage selinux policy modules.

SYNOPSIS

semodule [options]... MODE [MODES]...

DESCRIPTION

semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. semodule may also be used to force a rebuild of policy from the module store and/or to force a reload of policy without performing any other transaction. semodule acts on module packages created by semodule_package. Conventionally, these files have a .pp suffix (policy package), although this is not mandated in any way.

OPTIONS

-R, --reload

force a reload of policy

-B, --build

force a rebuild of policy (also reloads unless -n is used)

-D, --disable_dontaudit

Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt

-i,--install=MODULE_PKG

install/replace a module package

-u,--upgrade=MODULE_PKG

upgrade an existing module package, or install if the module does not exist

-b,--base=MODULE_PKG

install/replace base module package

-d,--disable=MODULE_NAME

disable existing module

-e,--enable=MODULE_NAME

enable existing module

-p,--path=ROOTPATH

use an alternate root path

-r,--remove=MODULE_NAME

remove existing module

-l,--list-modules

display list of installed modules (other than base)

-s,--store

name of the store to operate on

-n,--noreload,-N

do not reload policy after commit

-h,--help

prints help message and quit

-P,--preserve_tunables

Preserve tunables in policy

-v,--verbose

be verbose

EXAMPLE

# Install or replace a base policy package.
$ semodule -b base.pp
# Install or replace a non-base policy package.
$ semodule -i httpd.pp
# List non-base modules.
$ semodule -l
# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
$ semodule -DB
# Turn "dontaudit" rules back on.
$ semodule -B
# Install or replace all non-base modules in the current directory.
$ semodule -i *.pp
# Install or replace all modules in the current directory.
$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i

RELATED TO semodule…

checkmodule(8), semodule_package(8)

AUTHORS

This manual page was written by Dan Walsh <[email protected]>.
The program was written by Karl MacMillan <[email protected]>, Joshua Brindle <[email protected]>, Jason Tang <[email protected]>