semodule

List all installed policy modules

$ sudo semodule [[-l|--list]]

$ sudo semodule [[-i|--install]] [path/to/module.pp]

$ sudo semodule [[-r|--remove]] [module_name]

$ sudo semodule [[-e|--enable]] [module_name]

$ sudo semodule [[-d|--disable]] [module_name]

$ sudo semodule [[-R|--reload]]

$ sudo semodule [[-l|--list]] [[-v|--verbose]]

semodule [OPTIONS] [MODULE...]
Examples:
semodule -l
semodule -i my_module.pp
semodule -r my_module
semodule -e my_module

-l, --list
    List all installed policy modules and their status.

-i, --install=MODULE
    Install or replace a policy module from a .pp file.

-r, --remove=MODULE
    Remove an installed policy module by name.

-e, --enable=MODULE
    Enable a disabled policy module.

-d, --disable=MODULE
    Disable an enabled policy module.

-X, --priority=PRIORITY
    Set the priority for an installed module (0-255).

-B, --build
    Force a rebuild of the SELinux policy from all installed modules.

-P, --preserve_current
    Preserve the current policy if an error occurs during an operation.

-F, --force
    Force the operation, potentially overriding checks.

-s, --store=STORE
    Specify an alternate policy store to operate on.

-E, --norecompute
    Do not recompute the policy after module operations.

-h, --help
    Display a help message and exit.

-V, --version
    Print version information and exit.

semodule is a core utility for administrators to manage SELinux policy modules. It provides commands to install, remove, enable, disable, and list the status of individual policy modules. These modules contain specific security rules that extend or modify the base SELinux policy.
By leveraging semodule, administrators can customize the system's security posture to accommodate new applications or services without needing to recompile the entire SELinux policy from scratch. This modular approach significantly simplifies policy management, updates, and maintenance, making SELinux more adaptable and dynamic in complex environments. It interacts with the SELinux policy store, typically located under /etc/selinux/.

Requires root privileges.
Incorrect module operations can severely impact system stability or security, potentially leading to system unbootability or denial of service. Always test changes carefully and understand their implications.
Modules may need to be digitally signed if policy signing is enforced on the system.
Understanding SELinux policy structure and dependencies is crucial for effective and safe use of semodule.

SELinux policy modules are typically distributed as compiled policy packages (.pp files) or as source files (.te, .if, .fc) that need to be compiled. They extend the base policy with specific rules for new applications, services, or custom security requirements, allowing for granular policy customization.

semodule operates on policy stores, which are directories containing the active and available policy modules. The default store is usually tied to the current SELinux policy (e.g., targeted for the targeted policy type). Multiple policy stores can exist, allowing for different policy configurations to be managed.

SELinux, developed by the NSA, was integrated into the Linux kernel in version 2.6. The semodule command and its related user-space tools emerged as part of this broader project to provide robust Mandatory Access Control (MAC). Its modular policy management capabilities became vital for enterprise Linux distributions like Fedora and RHEL, enabling more flexible and dynamic security policy customization and updates without requiring monolithic policy recompilations.

semanage(8), checkmodule(8), audit2allow(8), setsebool(8), restorecon(8), load_policy(8), selinux(8)