Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

semodule(8) [centos man page]

SEMODULE(8)								NSA							       SEMODULE(8)

NAME

       semodule - Manage SELinux policy modules.

SYNOPSIS

       semodule [options]... MODE [MODES]...

DESCRIPTION

       semodule  is  the  tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules.  semodule may
       also be used to force a rebuild of policy from the module store and/or to force a reload of policy without performing  any  other  transac-
       tion.   semodule  acts  on  module  packages  created by semodule_package.  Conventionally, these files have a .pp suffix (policy package),
       although this is not mandated in any way.

OPTIONS

       -R, --reload
	      force a reload of policy

       -B, --build
	      force a rebuild of policy (also reloads unless -n is used)

       -D, --disable_dontaudit
	      Temporarily remove dontaudits from policy.  Reverts whenever policy is rebuilt

       -i,--install=MODULE_PKG
	      install/replace a module package

       -u,--upgrade=MODULE_PKG
	      upgrade an existing module package, or install if the module does not exist

       -b,--base=MODULE_PKG
	      install/replace base module package

       -d,--disable=MODULE_NAME
	      disable existing module

       -e,--enable=MODULE_NAME
	      enable existing module

       -p,--path=ROOTPATH
	      use an alternate root path

       -r,--remove=MODULE_NAME
	      remove existing module

       -l,--list-modules
	      display list of installed modules (other than base)

       -s,--store
	      name of the store to operate on

       -n,--noreload,-N
	      do not reload policy after commit

       -h,--help
	      prints help message and quit

       -P,--preserve_tunables
	      Preserve tunables in policy

       -v,--verbose
	      be verbose

EXAMPLE

       # Install or replace a base policy package.
       $ semodule -b base.pp
       # Install or replace a non-base policy package.
       $ semodule -i httpd.pp
       # List non-base modules.
       $ semodule -l
       # Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
       $ semodule -DB
       # Turn "dontaudit" rules back on.
       $ semodule -B
       # Install or replace all non-base modules in the current directory.
       $ semodule -i *.pp
       # Install or replace all modules in the current directory.
       $ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i

SEE ALSO

       checkmodule(8), semodule_package(8)

AUTHORS

       This manual page was written by Dan Walsh <dwalsh@redhat.com>.
       The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>, Jason Tang <jtang@tresys.com>

Security Enhanced Linux 					     Nov 2005							       SEMODULE(8)

Check Out this Related Man Page

POLICYGENTOOL(1)					      Debian GNU/Linux manual						  POLICYGENTOOL(1)

NAME

       policygentool - Interactive SELinux policy generation tool

SYNOPSIS

       policygentool [options] <Module Name> <full path for application binary file>

DESCRIPTION

       This  tool  generate three files for policy development, A Type Enforcement (te) file, a File Context (fc), and a Interface File(if).  Most
       of the policy rules will be written in the te file.  Use the File Context file to associate file paths  with  security  context.   Use  the
       interface rules to allow other protected domains to interact with the newly defined domains.

       The tool prompts for locations of pidfiles, any logfiles, files in /var/lib, and any init scripts, and whether any network access is desir-
       able for the application. The tool then generates the appropriate policy rules for the module.  After these files have been generated,  the
       make files for the appropriate SELinux policy, namely, /usr/share/selinux/refpolicy-targeted/include/Makefile or /usr/share/selinux/refpol-
       icy-strict/include/Makefile can be used to compile the SELinux policy policy package.  The resulting policy package  can  be  loaded  using
       semodule.

	 # /usr/bin/policygentool myapp /usr/bin/myapp
	 # cat >Makefile
	 > HEADERDIR:=/usr/share/selinux/refpolicy-targeted/include
	 > include $(HEADERDIR)/Makefile
	 > ^D
	 # make
	 # semodule -l myapp.pp
	 # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
	 # setenforce 0
	 # /etc/init.d/myapp start
	 # audit2allow -R -i /var/log/audit/audit.log

OPTIONS

       -h, --help
	      Print a short usage message.

FILES

       myapp.te, myapp.if, myapp.fc.

SEE ALSO

       semodule(8), check_policy(8), load_policy(8).

BUGS

       None known.

AUTHOR

       This manual page was written by Manoj Srivastava <srivasta@debian.org>, for the Debian GNU/Linux system.

Debian								    Feb 27 2007 						  POLICYGENTOOL(1)
Man Page