When the system loads the SELinux policy in memory, it uses the
policy.## file, with
## representing the policy version. This file, which resides in
/etc/selinux/targeted/policy, is generated every time the policy is modified. This can be when booleans are changed (and persisted), or when SELinux policy modules are added or removed.
Listing policy modules
SELinux policy modules are sets of SELinux rules that can be loaded and unloaded. These modules, with
.cil suffixes, can be loaded and unloaded as needed by the administrator. Once loaded, the policy module is made part of the SELinux policy store, and will be loaded even after a system reboot. Unlike SELinux boolean changes, SELinux policy module loads are always persisted.
To list the currently loaded SELinux policy modules, we recommend using the
semodule command. By default,
semodule will show all loaded SELinux policy modules without any details:
# semodule -l abrt accountsd ... zosremote
SELinux policy modules can, however, be loaded at a specified priority. This allows administrators to load a policy that overrules an already loaded policy: SELinux policy modules with a higher policy module priority take precedence over similarly named SELinux policy modules with lower priorities. To see the current priorities, use the
# semodule --list-modules=full 100 abrt pp 100 accountsd pp ... 400 test cil ... 100 zosremote pp
The SELinux utilities will copy the active policy modules into a policy-specific location. This allows administrators to list the currently active modules through regular filesystem queries as well:
# ls /var/lib/selinux/targeted/active/modules/* /var/lib/selinux/targeted/active/modules/100: abrt accountsd ... /var/lib/selinux/targeted/active/modules/400: test
Loading and removing policy modules
# semodule -i screen.pp
By default, SELinux policy modules are loaded at the
400 priority when invoked by the administrator, whereas SELinux policy modules loaded as part of the default system policy will be loaded at the
100 priority. When loading policies, the priority can be adjusted using the
-X option. For instance, to load the
test.cil policy with a priority of
500 we use the
-X option as follows:
# semodule -X 500 -i test.cil libsemanage.semanage_direct_install_info: Overriding test module at lower priority 400 with module at priority 500.
To remove a policy module with
semodule, use the
-r option. In this case, we are not referring to an SELinux policy module file, but to the name of the module itself as displayed by
semodule. Hence, we do not need to pass on a suffix:
# semodule -r test
To remove an SELinux policy module from a specified priority, use the
# semodule -X 500 -r test libsemanage.semanage_direct_remove_key: test module at priority 400 is now active.
The order of the arguments is important: the
-X option will set the priority for the actions that follow it, not those that precede it. If it is not set, then a priority value of
400 will be used.
Finally, it is possible to keep an SELinux policy module but disable it. This keeps the module in the policy store, but disables all the SELinux policy rules inside of it. We use the
-d) option to accomplish this:
# semodule -d screen
To re-enable the policy, use the
# semodule -e screen
The disabled and enabled states of SELinux policy modules persist through reboots as well. Furthermore, if you are disabling an SELinux module, all instances of that module (including lower priority ones) will be disabled.
Disabling policies is strongly recommended when the policy module is part of the distribution’s SELinux policy, as the modules themselves are not always available on the system and might require a reinstallation of the policy package just to get it back.
With loading and unloading policies explained, let’s see how we can generate updates on the current SELinux policy.