Scroll to navigation

SEMODULE(8) NSA SEMODULE(8)

NAME

semodule - Manage SELinux policy modules.

SYNOPSIS

semodule [options]... MODE [MODES]...

DESCRIPTION

semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. semodule may also be used to force a rebuild of policy from the module store and/or to force a reload of policy without performing any other transaction. semodule acts on module packages created by semodule_package. Conventionally, these files have a .pp suffix (policy package), although this is not mandated in any way.

OPTIONS

force a reload of policy
force a rebuild of policy (also reloads unless -n is used)
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
install/replace a module package
upgrade an existing module package, or install if the module does not exist
install/replace base module package
disable existing module
enable existing module
remove existing module
display list of installed modules (other than base)
name of the store to operate on
do not reload policy after commit
prints help message and quit
be verbose

EXAMPLE

# Install or replace a base policy package.
$ semodule -b base.pp
# Install or replace a non-base policy package.
$ semodule -i httpd.pp
# List non-base modules.
$ semodule -l
# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
$ semodule -DB
# Turn "dontaudit" rules back on.
$ semodule -B
# Install or replace all non-base modules in the current directory.
$ semodule -i *.pp
# Install or replace all modules in the current directory.
$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i

SEE ALSO

checkmodule(8), semodule_package(8)

AUTHORS

This manual page was written by Dan Walsh <dwalsh@redhat.com>.
The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>, Jason Tang <jtang@tresys.com>
Nov 2005 Security Enhanced Linux