2008-08-19 19:30:36 +00:00
|
|
|
.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
|
|
|
|
|
.SH NAME
|
|
|
|
|
semodule \- Manage SELinux policy modules.
|
|
|
|
|
|
|
|
|
|
.SH SYNOPSIS
|
|
|
|
|
.B semodule [options]... MODE [MODES]...
|
|
|
|
|
.br
|
|
|
|
|
.SH DESCRIPTION
|
|
|
|
|
.PP
|
|
|
|
|
semodule is the tool used to manage SELinux policy modules,
|
|
|
|
|
including installing, upgrading, listing and removing modules.
|
|
|
|
|
semodule may also be used to force a rebuild of policy from the
|
|
|
|
|
module store and/or to force a reload of policy without performing
|
|
|
|
|
any other transaction. semodule acts on module packages created
|
|
|
|
|
by semodule_package. Conventionally, these files have a .pp suffix
|
|
|
|
|
(policy package), although this is not mandated in any way.
|
|
|
|
|
|
|
|
|
|
.SH "OPTIONS"
|
|
|
|
|
.TP
|
|
|
|
|
.B \-R, \-\-reload
|
|
|
|
|
force a reload of policy
|
|
|
|
|
.TP
|
2015-11-07 09:20:56 +00:00
|
|
|
.B \-B, \-\-build
|
2013-05-10 12:45:21 +00:00
|
|
|
force a rebuild of policy (also reloads unless \-n is used)
|
2008-08-19 19:30:36 +00:00
|
|
|
.TP
|
|
|
|
|
.B \-D, \-\-disable_dontaudit
|
|
|
|
|
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
|
|
|
|
|
.TP
|
|
|
|
|
.B \-i,\-\-install=MODULE_PKG
|
|
|
|
|
install/replace a module package
|
|
|
|
|
.TP
|
|
|
|
|
.B \-u,\-\-upgrade=MODULE_PKG
|
2014-05-16 20:49:00 +00:00
|
|
|
deprecated, alias for --install
|
2008-08-19 19:30:36 +00:00
|
|
|
.TP
|
|
|
|
|
.B \-b,\-\-base=MODULE_PKG
|
2014-05-16 20:49:00 +00:00
|
|
|
deprecated, alias for --install
|
2008-08-19 19:30:36 +00:00
|
|
|
.TP
|
|
|
|
|
.B \-r,\-\-remove=MODULE_NAME
|
|
|
|
|
remove existing module
|
|
|
|
|
.TP
|
2016-05-24 08:02:29 +00:00
|
|
|
.B \-l[KIND],\-\-list-modules[=KIND]
|
2008-08-19 19:30:36 +00:00
|
|
|
display list of installed modules (other than base)
|
|
|
|
|
.TP
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
.B \-E,\-\-extract=MODULE_PKG
|
|
|
|
|
Extract a module from the store as an HLL or CIL file to the current directory.
|
|
|
|
|
A module is extracted as HLL by default. The name of the module written is
|
|
|
|
|
<module-name>.<lang_ext>
|
|
|
|
|
.TP
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
.B KIND:
|
|
|
|
|
.TP
|
|
|
|
|
standard
|
|
|
|
|
list highest priority, enabled, non-base modules
|
|
|
|
|
.TP
|
|
|
|
|
full
|
|
|
|
|
list all modules
|
|
|
|
|
.TP
|
|
|
|
|
.B \-X,\-\-priority=PRIORITY
|
|
|
|
|
set priority for following operations (1-999)
|
|
|
|
|
.TP
|
|
|
|
|
.B \-e,\-\-enabled=MODULE_NAME
|
|
|
|
|
enable module
|
|
|
|
|
.TP
|
|
|
|
|
.B \-d,\-\-disable=MODULE_NAME
|
|
|
|
|
disable module
|
|
|
|
|
.TP
|
2015-11-07 09:20:56 +00:00
|
|
|
.B \-s,\-\-store
|
2008-08-19 19:30:36 +00:00
|
|
|
name of the store to operate on
|
|
|
|
|
.TP
|
2012-05-08 20:31:33 +00:00
|
|
|
.B \-n,\-\-noreload,\-N
|
2008-08-19 19:30:36 +00:00
|
|
|
do not reload policy after commit
|
|
|
|
|
.TP
|
|
|
|
|
.B \-h,\-\-help
|
|
|
|
|
prints help message and quit
|
|
|
|
|
.TP
|
2013-11-13 15:43:47 +00:00
|
|
|
.B \-P,\-\-preserve_tunables
|
|
|
|
|
Preserve tunables in policy
|
|
|
|
|
.TP
|
2014-02-27 16:56:34 +00:00
|
|
|
.B \-C,\-\-ignore-module-cache
|
|
|
|
|
Recompile CIL modules built from HLL files
|
|
|
|
|
.TP
|
2011-11-22 18:42:48 +00:00
|
|
|
.B \-p,\-\-path
|
|
|
|
|
Use an alternate path for the policy root
|
|
|
|
|
.TP
|
2014-04-03 20:58:12 +00:00
|
|
|
.B \-S,\-\-store-path
|
|
|
|
|
Use an alternate path for the policy store root
|
|
|
|
|
.TP
|
2008-08-19 19:30:36 +00:00
|
|
|
.B \-v,\-\-verbose
|
|
|
|
|
be verbose
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
.TP
|
|
|
|
|
.B \-c,\-\-cil
|
2016-05-16 15:44:31 +00:00
|
|
|
Extract module as a CIL file. This only affects the \-\-extract option and
|
|
|
|
|
only modules listed in \-\-extract after this option.
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
.TP
|
|
|
|
|
.B \-H,\-\-hll
|
2016-05-16 15:44:31 +00:00
|
|
|
Extract module as an HLL file. This only affects the \-\-extract option and
|
|
|
|
|
only modules listed in \-\-extract after this option.
|
2008-08-19 19:30:36 +00:00
|
|
|
|
|
|
|
|
.SH EXAMPLE
|
|
|
|
|
.nf
|
|
|
|
|
# Install or replace a base policy package.
|
2013-05-10 12:45:21 +00:00
|
|
|
$ semodule \-b base.pp
|
2008-08-19 19:30:36 +00:00
|
|
|
# Install or replace a non-base policy package.
|
2013-05-10 12:45:21 +00:00
|
|
|
$ semodule \-i httpd.pp
|
2008-08-19 19:30:36 +00:00
|
|
|
# List non-base modules.
|
2013-05-10 12:45:21 +00:00
|
|
|
$ semodule \-l
|
2008-08-19 19:30:36 +00:00
|
|
|
# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
|
2013-05-10 12:45:21 +00:00
|
|
|
$ semodule \-DB
|
2008-08-19 19:30:36 +00:00
|
|
|
# Turn "dontaudit" rules back on.
|
2013-05-10 12:45:21 +00:00
|
|
|
$ semodule \-B
|
2008-08-19 19:30:36 +00:00
|
|
|
# Install or replace all non-base modules in the current directory.
|
2013-05-10 12:45:21 +00:00
|
|
|
$ semodule \-i *.pp
|
2008-08-19 19:30:36 +00:00
|
|
|
# Install or replace all modules in the current directory.
|
2013-05-10 12:45:21 +00:00
|
|
|
$ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
# Disable a module.
|
|
|
|
|
$ semodule \-d alsa
|
|
|
|
|
# Install a module at a specific priority.
|
|
|
|
|
$ semodule \-X 100 \-i alsa.pp
|
|
|
|
|
# List all modules.
|
2016-05-24 08:02:29 +00:00
|
|
|
$ semodule \-\-list=full
|
2011-11-22 18:42:48 +00:00
|
|
|
# Set an alternate path for the policy root
|
|
|
|
|
$ semodule \-B \-p "/tmp"
|
2014-04-03 20:58:12 +00:00
|
|
|
# Set an alternate path for the policy store root
|
|
|
|
|
$ semodule \-B \-S "/tmp/var/lib/selinux"
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
# Write the HLL version of puppet and the CIL version of wireshark
|
|
|
|
|
# modules at priority 400 to the current working directory
|
2016-05-16 15:44:31 +00:00
|
|
|
$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
|
2008-08-19 19:30:36 +00:00
|
|
|
.fi
|
|
|
|
|
|
|
|
|
|
.SH SEE ALSO
|
2017-01-11 12:41:09 +00:00
|
|
|
.BR checkmodule (8),
|
|
|
|
|
.BR semodule_package (8)
|
2008-08-19 19:30:36 +00:00
|
|
|
.SH AUTHORS
|
|
|
|
|
.nf
|
|
|
|
|
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
|
|
|
The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>, Jason Tang <jtang@tresys.com>
|
