Handling SELinux policy modules

July 03, 2021

When the system loads the SELinux policy in memory, it uses the policy.## file, with ## representing the policy version. This file, which resides in /etc/selinux/targeted/policy, is generated every time the policy is modified. This can be when booleans are changed (and persisted), or when SELinux policy modules are added or removed.

Listing policy modules

SELinux policy modules are sets of SELinux rules that can be loaded and unloaded. These modules, with .pp or .cil suffixes, can be loaded and unloaded as needed by the administrator. Once loaded, the policy module is made part of the SELinux policy store, and will be loaded even after a system reboot. Unlike SELinux boolean changes, SELinux policy module loads are always persisted.

To list the currently loaded SELinux policy modules, we recommend using the semodule command. By default, semodule will show all loaded SELinux policy modules without any details:

# semodule -l
abrt
accountsd
...
zosremote

SELinux policy modules can, however, be loaded at a specified priority. This allows administrators to load a policy that overrules an already loaded policy: SELinux policy modules with a higher policy module priority take precedence over similarly named SELinux policy modules with lower priorities. To see the current priorities, use the --list-modules=full argument:

# semodule --list-modules=full
100 abrt pp
100 accountsd pp
...
400 test cil
...
100 zosremote pp

Alongside the priority, the listing also shows whether the policy module is based upon the binary module format (pp) or the more modern Common Intermediate Language (CIL) format (cil).

The SELinux utilities will copy the active policy modules into a policy-specific location. This allows administrators to list the currently active modules through regular filesystem queries as well:

# ls /var/lib/selinux/targeted/active/modules/*
/var/lib/selinux/targeted/active/modules/100:
abrt
accountsd
...
/var/lib/selinux/targeted/active/modules/400:
test

The use of the filesystem location for querying active policies is, however, not recommended, as we have no guarantee that the loaded policies match the filesystem: non-SELinux utilities can add or remove files from these locations without adjusting the SELinux policy state.

Loading and removing policy modules

In the Replacing and updating existing policies section, we will learn how to generate new policy modules. Once created, they need to be loaded and/or removed. We load policy modules with semodule as well, regardless of the policy format (.pp or .cil):

# semodule -i screen.pp

By default, SELinux policy modules are loaded at the 400 priority when invoked by the administrator, whereas SELinux policy modules loaded as part of the default system policy will be loaded at the 100 priority. When loading policies, the priority can be adjusted using the -X option. For instance, to load the test.cil policy with a priority of 500 we use the -X option as follows:

# semodule -X 500 -i test.cil
libsemanage.semanage_direct_install_info: Overriding test module at lower priority 400 with module at priority 500.

To remove a policy module with semodule, use the --remove or -r option. In this case, we are not referring to an SELinux policy module file, but to the name of the module itself as displayed by semodule. Hence, we do not need to pass on a suffix:

# semodule -r test

To remove an SELinux policy module from a specified priority, use the -X option:

# semodule -X 500 -r test
libsemanage.semanage_direct_remove_key: test module at priority 400 is now active.

The order of the arguments is important: the -X option will set the priority for the actions that follow it, not those that precede it. If it is not set, then a priority value of 400 will be used.

Finally, it is possible to keep an SELinux policy module but disable it. This keeps the module in the policy store, but disables all the SELinux policy rules inside of it. We use the --disable (or -d) option to accomplish this:

# semodule -d screen

To re-enable the policy, use the --enable (or -e) option:

# semodule -e screen

The disabled and enabled states of SELinux policy modules persist through reboots as well. Furthermore, if you are disabling an SELinux module, all instances of that module (including lower priority ones) will be disabled.

Disabling policies is strongly recommended when the policy module is part of the distribution’s SELinux policy, as the modules themselves are not always available on the system and might require a reinstallation of the policy package just to get it back.

With loading and unloading policies explained, let’s see how we can generate updates on the current SELinux policy.

Related Articles

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

read more

Lorem ipsum dolor sit amet consectetur

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

twelve − nine =