mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-12 00:19:24 +00:00
62f058980e
Fix missing and surplus commas. Fix the following formatting errors: .BR selinux(8) renders the the "(8)" in bold as well as the "selinux". This is wrong. .B selinux (8) renders with a space between "selinux" and "(8)", this is wrong. .B selinux (8) commits both of the above mistakes. .BR selinux (8), apparmor (8) omits the space separating "selinux(8)," and "apparmor(8)", this is wrong. Correct all the above using the following markup: .BR selinux (8), .BR apparmor (8) Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
136 lines
3.8 KiB
Groff
136 lines
3.8 KiB
Groff
.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
|
|
.SH NAME
|
|
semodule \- Manage SELinux policy modules.
|
|
|
|
.SH SYNOPSIS
|
|
.B semodule [options]... MODE [MODES]...
|
|
.br
|
|
.SH DESCRIPTION
|
|
.PP
|
|
semodule is the tool used to manage SELinux policy modules,
|
|
including installing, upgrading, listing and removing modules.
|
|
semodule may also be used to force a rebuild of policy from the
|
|
module store and/or to force a reload of policy without performing
|
|
any other transaction. semodule acts on module packages created
|
|
by semodule_package. Conventionally, these files have a .pp suffix
|
|
(policy package), although this is not mandated in any way.
|
|
|
|
.SH "OPTIONS"
|
|
.TP
|
|
.B \-R, \-\-reload
|
|
force a reload of policy
|
|
.TP
|
|
.B \-B, \-\-build
|
|
force a rebuild of policy (also reloads unless \-n is used)
|
|
.TP
|
|
.B \-D, \-\-disable_dontaudit
|
|
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
|
|
.TP
|
|
.B \-i,\-\-install=MODULE_PKG
|
|
install/replace a module package
|
|
.TP
|
|
.B \-u,\-\-upgrade=MODULE_PKG
|
|
deprecated, alias for --install
|
|
.TP
|
|
.B \-b,\-\-base=MODULE_PKG
|
|
deprecated, alias for --install
|
|
.TP
|
|
.B \-r,\-\-remove=MODULE_NAME
|
|
remove existing module
|
|
.TP
|
|
.B \-l[KIND],\-\-list-modules[=KIND]
|
|
display list of installed modules (other than base)
|
|
.TP
|
|
.B \-E,\-\-extract=MODULE_PKG
|
|
Extract a module from the store as an HLL or CIL file to the current directory.
|
|
A module is extracted as HLL by default. The name of the module written is
|
|
<module-name>.<lang_ext>
|
|
.TP
|
|
.B KIND:
|
|
.TP
|
|
standard
|
|
list highest priority, enabled, non-base modules
|
|
.TP
|
|
full
|
|
list all modules
|
|
.TP
|
|
.B \-X,\-\-priority=PRIORITY
|
|
set priority for following operations (1-999)
|
|
.TP
|
|
.B \-e,\-\-enabled=MODULE_NAME
|
|
enable module
|
|
.TP
|
|
.B \-d,\-\-disable=MODULE_NAME
|
|
disable module
|
|
.TP
|
|
.B \-s,\-\-store
|
|
name of the store to operate on
|
|
.TP
|
|
.B \-n,\-\-noreload,\-N
|
|
do not reload policy after commit
|
|
.TP
|
|
.B \-h,\-\-help
|
|
prints help message and quit
|
|
.TP
|
|
.B \-P,\-\-preserve_tunables
|
|
Preserve tunables in policy
|
|
.TP
|
|
.B \-C,\-\-ignore-module-cache
|
|
Recompile CIL modules built from HLL files
|
|
.TP
|
|
.B \-p,\-\-path
|
|
Use an alternate path for the policy root
|
|
.TP
|
|
.B \-S,\-\-store-path
|
|
Use an alternate path for the policy store root
|
|
.TP
|
|
.B \-v,\-\-verbose
|
|
be verbose
|
|
.TP
|
|
.B \-c,\-\-cil
|
|
Extract module as a CIL file. This only affects the \-\-extract option and
|
|
only modules listed in \-\-extract after this option.
|
|
.TP
|
|
.B \-H,\-\-hll
|
|
Extract module as an HLL file. This only affects the \-\-extract option and
|
|
only modules listed in \-\-extract after this option.
|
|
|
|
.SH EXAMPLE
|
|
.nf
|
|
# Install or replace a base policy package.
|
|
$ semodule \-b base.pp
|
|
# Install or replace a non-base policy package.
|
|
$ semodule \-i httpd.pp
|
|
# List non-base modules.
|
|
$ semodule \-l
|
|
# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
|
|
$ semodule \-DB
|
|
# Turn "dontaudit" rules back on.
|
|
$ semodule \-B
|
|
# Install or replace all non-base modules in the current directory.
|
|
$ semodule \-i *.pp
|
|
# Install or replace all modules in the current directory.
|
|
$ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i
|
|
# Disable a module.
|
|
$ semodule \-d alsa
|
|
# Install a module at a specific priority.
|
|
$ semodule \-X 100 \-i alsa.pp
|
|
# List all modules.
|
|
$ semodule \-\-list=full
|
|
# Set an alternate path for the policy root
|
|
$ semodule \-B \-p "/tmp"
|
|
# Set an alternate path for the policy store root
|
|
$ semodule \-B \-S "/tmp/var/lib/selinux"
|
|
# Write the HLL version of puppet and the CIL version of wireshark
|
|
# modules at priority 400 to the current working directory
|
|
$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
|
|
.fi
|
|
|
|
.SH SEE ALSO
|
|
.BR checkmodule (8),
|
|
.BR semodule_package (8)
|
|
.SH AUTHORS
|
|
.nf
|
|
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>, Jason Tang <jtang@tresys.com>
|