.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA .SH NAME semodule \- Manage SELinux policy modules. .SH SYNOPSIS .B semodule [option]... MODE... .br .SH DESCRIPTION .PP semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. semodule may also be used to force a rebuild of policy from the module store and/or to force a reload of policy without performing any other transaction. semodule acts on module packages created by semodule_package. Conventionally, these files have a .pp suffix (policy package), although this is not mandated in any way. .SH "MODES" .TP .B \-R, \-\-reload force a reload of policy .TP .B \-B, \-\-build force a rebuild of policy (also reloads unless \-n is used) .TP .B \-D, \-\-disable_dontaudit Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt .TP .B \-i,\-\-install=MODULE_PKG install/replace a module package .TP .B \-u,\-\-upgrade=MODULE_PKG deprecated, alias for --install .TP .B \-b,\-\-base=MODULE_PKG deprecated, alias for --install .TP .B \-r,\-\-remove=MODULE_NAME remove existing module at desired priority (defaults to -X 400) .TP .B \-l[KIND],\-\-list-modules[=KIND] display list of installed modules (other than base) .TP .B KIND: .TP standard list highest priority, enabled, non-base modules .TP full list all modules .TP .B \-X,\-\-priority=PRIORITY set priority for following operations (1-999) .TP .B \-e,\-\-enable=MODULE_NAME enable module .TP .B \-d,\-\-disable=MODULE_NAME disable module .TP .B \-E,\-\-extract=MODULE_PKG Extract a module from the store as an HLL or CIL file to the current directory. A module is extracted as HLL by default. The name of the module written is <module-name>.<lang_ext> .SH "OPTIONS" .TP .B \-s,\-\-store name of the store to operate on .TP .B \-n,\-\-noreload,\-N do not reload policy after commit .TP .B \-h,\-\-help prints help message and quit .TP .B \-P,\-\-preserve_tunables Preserve tunables in policy .TP .B \-C,\-\-ignore-module-cache Recompile CIL modules built from HLL files .TP .B \-p,\-\-path Use an alternate path for the policy root .TP .B \-S,\-\-store-path Use an alternate path for the policy store root .TP .B \-v,\-\-verbose be verbose .TP .B \-c,\-\-cil Extract module as a CIL file. This only affects the \-\-extract option and only modules listed in \-\-extract after this option. .TP .B \-H,\-\-hll Extract module as an HLL file. This only affects the \-\-extract option and only modules listed in \-\-extract after this option. .SH EXAMPLE .nf # Install or replace a base policy package. $ semodule \-b base.pp # Install or replace a non-base policy package. $ semodule \-i httpd.pp # Install or replace all non-base modules in the current directory. # This syntax can be used with -i/u/r/E, but no other option can be entered after the module names $ semodule \-i *.pp # Install or replace all modules in the current directory. $ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i # List non-base modules. $ semodule \-l # List all modules including priorities $ semodule \-lfull # Remove a module at priority 100 $ semodule \-X 100 \-r wireshark # Turn on all AVC Messages for which SELinux currently is "dontaudit"ing. $ semodule \-DB # Turn "dontaudit" rules back on. $ semodule \-B # Disable a module (all instances of given module across priorities will be disabled). $ semodule \-d alsa # Install a module at a specific priority. $ semodule \-X 100 \-i alsa.pp # List all modules. $ semodule \-\-list=full # Set an alternate path for the policy root $ semodule \-B \-p "/tmp" # Set an alternate path for the policy store root $ semodule \-B \-S "/tmp/var/lib/selinux" # Write the HLL version of puppet and the CIL version of wireshark # modules at priority 400 to the current working directory $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark .fi .SH SEE ALSO .BR checkmodule (8), .BR semodule_package (8) .SH AUTHORS .nf This manual page was written by Dan Walsh <dwalsh@redhat.com>. The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>, Jason Tang <jtang@tresys.com>