{"id":3169,"date":"2022-12-20T16:43:41","date_gmt":"2022-12-20T19:43:41","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/semodule-man8\/"},"modified":"2022-12-20T16:43:41","modified_gmt":"2022-12-20T19:43:41","slug":"semodule-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/semodule-man8\/","title":{"rendered":"SEMODULE (man8)"},"content":{"rendered":"

SEMODULE<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
MODES<\/a>
OPTIONS<\/a>
EXAMPLE<\/a>
SEE ALSO<\/a>
AUTHORS<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

semodule \u2212 Manage SELinux policy modules.<\/p>\n

SYNOPSIS <\/a> <\/h2>\n

semodule [option]… MODE…<\/b><\/p>\n

DESCRIPTION <\/a> <\/h2>\n

semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. semodule may also be used to force a rebuild of policy from the module store and\/or to force a reload of policy without performing any other transaction. semodule acts on module packages created by semodule_package. Conventionally, these files have a .pp suffix (policy package), although this is not mandated in any way.<\/p>\n

MODES <\/a> <\/h2>\n

\u2212R, \u2212\u2212reload<\/b><\/p>\n

force a reload of policy<\/p>\n

\u2212B, \u2212\u2212build<\/b><\/p>\n

force a rebuild of policy (also reloads unless \u2212n is used)<\/p>\n

\u2212D, \u2212\u2212disable_dontaudit<\/b><\/p>\n

Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt<\/p>\n

\u2212i,\u2212\u2212install=MODULE_PKG<\/b><\/p>\n

install\/replace a module package<\/p>\n

\u2212u,\u2212\u2212upgrade=MODULE_PKG<\/b><\/p>\n

deprecated, alias for –install<\/p>\n

\u2212b,\u2212\u2212base=MODULE_PKG<\/b><\/p>\n

deprecated, alias for –install<\/p>\n

\u2212r,\u2212\u2212remove=MODULE_NAME<\/b><\/p>\n

remove existing module at desired priority (defaults to -X 400)<\/p>\n

\u2212l[KIND],\u2212\u2212list-modules[=KIND]<\/b><\/p>\n

display list of installed modules (other than base)<\/p>\n\n\n
<\/td>\n\n

KIND:<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

standard<\/p>\n

list highest priority, enabled, non-base modules<\/p>\n\n\n
<\/td>\n\n

full<\/p>\n<\/td>\n

<\/td>\n\n

list all modules<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

\u2212X,\u2212\u2212priority=PRIORITY<\/b><\/p>\n

set priority for following operations (1-999)<\/p>\n

\u2212e,\u2212\u2212enable=MODULE_NAME<\/b><\/p>\n

enable module<\/p>\n

\u2212d,\u2212\u2212disable=MODULE_NAME<\/b><\/p>\n

disable module<\/p>\n

\u2212E,\u2212\u2212extract=MODULE_PKG<\/b><\/p>\n

Extract a module from the store as an HLL or CIL file to the current directory. A module is extracted as HLL by default. The name of the module written is .<\/p>\n

OPTIONS <\/a> <\/h2>\n

\u2212s,\u2212\u2212store<\/b><\/p>\n

name of the store to operate on<\/p>\n

\u2212n,\u2212\u2212noreload,\u2212N<\/b><\/p>\n

do not reload policy after commit<\/p>\n

\u2212h,\u2212\u2212help<\/b><\/p>\n

prints help message and quit<\/p>\n

\u2212P,\u2212\u2212preserve_tunables<\/b><\/p>\n

Preserve tunables in policy<\/p>\n

\u2212C,\u2212\u2212ignore-module-cache<\/b><\/p>\n

Recompile CIL modules built from HLL files<\/p>\n

\u2212p,\u2212\u2212path<\/b><\/p>\n

Use an alternate path for the policy root<\/p>\n

\u2212S,\u2212\u2212store-path<\/b><\/p>\n

Use an alternate path for the policy store root<\/p>\n

\u2212v,\u2212\u2212verbose<\/b><\/p>\n

be verbose<\/p>\n

\u2212c,\u2212\u2212cil<\/b><\/p>\n

Extract module as a CIL file. This only affects the \u2212\u2212extract option and only modules listed in \u2212\u2212extract after this option.<\/p>\n

\u2212H,\u2212\u2212hll<\/b><\/p>\n

Extract module as an HLL file. This only affects the \u2212\u2212extract option and only modules listed in \u2212\u2212extract after this option.<\/p>\n

EXAMPLE <\/a> <\/h2>\n

# Install or replace a base policy package.
$ semodule \u2212b base.pp
# Install or replace a non-base policy package.
$ semodule \u2212i httpd.pp
# Install or replace all non-base modules in the current directory.
# This syntax can be used with -i\/u\/r\/E, but no other option can be entered after the module names
$ semodule \u2212i *.pp
# Install or replace all modules in the current directory.
$ ls *.pp | grep \u2212Ev “base.pp|enableaudit.pp” | xargs \/usr\/sbin\/semodule \u2212b base.pp \u2212i
# List non-base modules.
$ semodule \u2212l
# List all modules including priorities
$ semodule \u2212lfull
# Remove a module at priority 100
$ semodule \u2212X 100 \u2212r wireshark
# Turn on all AVC Messages for which SELinux currently is “dontaudit”ing.
$ semodule \u2212DB
# Turn “dontaudit” rules back on.
$ semodule \u2212B
# Disable a module (all instances of given module across priorities will be disabled).
$ semodule \u2212d alsa
# Install a module at a specific priority.
$ semodule \u2212X 100 \u2212i alsa.pp
# List all modules.
$ semodule \u2212\u2212list=full
# Set an alternate path for the policy root
$ semodule \u2212B \u2212p “\/tmp”
# Set an alternate path for the policy store root
$ semodule \u2212B \u2212S “\/tmp\/var\/lib\/selinux”
# Write the HLL version of puppet and the CIL version of wireshark
# modules at priority 400 to the current working directory
$ semodule \u2212X 400 \u2212\u2212hll \u2212E puppet \u2212\u2212cil \u2212E wireshark<\/p>\n

SEE ALSO <\/a> <\/h2>\n

checkmodule<\/b>(8), semodule_package<\/b>(8)<\/p>\n

AUTHORS <\/a> <\/h2>\n

This manual page was written by Dan Walsh .
The program was written by Karl MacMillan , Joshua Brindle , Jason Tang <\/p>\n

\n","protected":false},"excerpt":{"rendered":"

semodule \u2212 Manage SELinux policy modules. <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,312],"class_list":["post-3169","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-semodule"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3169"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3169\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}