1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
.SH NAME
semodule \- Manage SELinux policy modules.
.SH SYNOPSIS
.B semodule [option]... MODE...
.br
.SH DESCRIPTION
.PP
semodule is the tool used to manage SELinux policy modules,
including installing, upgrading, listing and removing modules.
semodule may also be used to force a rebuild of policy from the
module store and/or to force a reload of policy without performing
any other transaction. semodule acts on module packages created
by semodule_package. Conventionally, these files have a .pp suffix
(policy package), although this is not mandated in any way.
.SH "MODES"
.TP
.B \-R, \-\-reload
force a reload of policy
.TP
.B \-B, \-\-build
force a rebuild of policy (also reloads unless \-n is used)
.TP
.B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
.TP
.B \-i,\-\-install=MODULE_PKG
install/replace a module package
.TP
.B \-u,\-\-upgrade=MODULE_PKG
deprecated, alias for --install
.TP
.B \-b,\-\-base=MODULE_PKG
deprecated, alias for --install
.TP
.B \-r,\-\-remove=MODULE_NAME
remove existing module at desired priority (defaults to -X 400)
.TP
.B \-l[KIND],\-\-list-modules[=KIND]
display list of installed modules (other than base)
.TP
.B KIND:
.TP
standard
list highest priority, enabled, non-base modules
.TP
full
list all modules
.TP
.B \-X,\-\-priority=PRIORITY
set priority for following operations (1-999)
.TP
.B \-e,\-\-enable=MODULE_NAME
enable module
.TP
.B \-d,\-\-disable=MODULE_NAME
disable module
.TP
.B \-E,\-\-extract=MODULE_PKG
Extract a module from the store as an HLL or CIL file to the current directory.
A module is extracted as HLL by default. The name of the module written is
<module-name>.<lang_ext>
.SH "OPTIONS"
.TP
.B \-s,\-\-store
name of the store to operate on
.TP
.B \-n,\-\-noreload,\-N
do not reload policy after commit
.TP
.B \-h,\-\-help
prints help message and quit
.TP
.B \-P,\-\-preserve_tunables
Preserve tunables in policy
.TP
.B \-C,\-\-ignore-module-cache
Recompile CIL modules built from HLL files
.TP
.B \-p,\-\-path
Use an alternate path for the policy root
.TP
.B \-S,\-\-store-path
Use an alternate path for the policy store root
.TP
.B \-v,\-\-verbose
be verbose
.TP
.B \-c,\-\-cil
Extract module as a CIL file. This only affects the \-\-extract option and
only modules listed in \-\-extract after this option.
.TP
.B \-H,\-\-hll
Extract module as an HLL file. This only affects the \-\-extract option and
only modules listed in \-\-extract after this option.
.SH EXAMPLE
.nf
# Install or replace a base policy package.
$ semodule \-b base.pp
# Install or replace a non-base policy package.
$ semodule \-i httpd.pp
# Install or replace all non-base modules in the current directory.
# This syntax can be used with -i/u/r/E, but no other option can be entered after the module names
$ semodule \-i *.pp
# Install or replace all modules in the current directory.
$ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i
# List non-base modules.
$ semodule \-l
# List all modules including priorities
$ semodule \-lfull
# Remove a module at priority 100
$ semodule \-X 100 \-r wireshark
# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
$ semodule \-DB
# Turn "dontaudit" rules back on.
$ semodule \-B
# Disable a module (all instances of given module across priorities will be disabled).
$ semodule \-d alsa
# Install a module at a specific priority.
$ semodule \-X 100 \-i alsa.pp
# List all modules.
$ semodule \-\-list=full
# Set an alternate path for the policy root
$ semodule \-B \-p "/tmp"
# Set an alternate path for the policy store root
$ semodule \-B \-S "/tmp/var/lib/selinux"
# Write the HLL version of puppet and the CIL version of wireshark
# modules at priority 400 to the current working directory
$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
.fi
.SH SEE ALSO
.BR checkmodule (8),
.BR semodule_package (8)
.SH AUTHORS
.nf
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>, Jason Tang <jtang@tresys.com>
|
