semodule(8) — Linux manual page


SEMODULE(8)                          NSA                         SEMODULE(8)

NAME         top

       semodule - Manage SELinux policy modules.

SYNOPSIS         top

       semodule [option]... MODE...

DESCRIPTION         top

       semodule is the tool used to manage SELinux policy modules, including
       installing, upgrading, listing and removing modules.  semodule may
       also be used to force a rebuild of policy from the module store
       and/or to force a reload of policy without performing any other
       transaction.  semodule acts on module packages created by
       semodule_package.  Conventionally, these files have a .pp suffix
       (policy package), although this is not mandated in any way.

MODES         top

       -R, --reload
              force a reload of policy

       -B, --build
              force a rebuild of policy (also reloads unless -n is used)

       -D, --disable_dontaudit
              Temporarily remove dontaudits from policy.  Reverts whenever
              policy is rebuilt

              install/replace a module package

              deprecated, alias for --install

              deprecated, alias for --install

              remove existing module at desired priority (defaults to -X

              display list of installed modules (other than base)


              list highest priority, enabled, non-base modules

       full   list all modules

              set priority for following operations (1-999)

              enable module

              disable module

              Extract a module from the store as an HLL or CIL file to the
              current directory.  A module is extracted as HLL by default.
              The name of the module written is <module-name>.<lang_ext>

OPTIONS         top

              name of the store to operate on

              do not reload policy after commit

              prints help message and quit

              Preserve tunables in policy

              Recompile CIL modules built from HLL files

              Use an alternate path for the policy root

              Use an alternate path for the policy store root

              be verbose

              Extract module as a CIL file. This only affects the --extract
              option and only modules listed in --extract after this option.

              Extract module as an HLL file. This only affects the --extract
              option and only modules listed in --extract after this option.

EXAMPLE         top

       # Install or replace a base policy package.
       $ semodule -b base.pp
       # Install or replace a non-base policy package.
       $ semodule -i httpd.pp
       # Install or replace all non-base modules in the current directory.
       # This syntax can be used with -i/u/r/E, but no other option can be entered after the module names
       $ semodule -i *.pp
       # Install or replace all modules in the current directory.
       $ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i
       # List non-base modules.
       $ semodule -l
       # List all modules including priorities
       $ semodule -lfull
       # Remove a module at priority 100
       $ semodule -X 100 -r wireshark
       # Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
       $ semodule -DB
       # Turn "dontaudit" rules back on.
       $ semodule -B
       # Disable a module (all instances of given module across priorities will be disabled).
       $ semodule -d alsa
       # Install a module at a specific priority.
       $ semodule -X 100 -i alsa.pp
       # List all modules.
       $ semodule --list=full
       # Set an alternate path for the policy root
       $ semodule -B -p "/tmp"
       # Set an alternate path for the policy store root
       $ semodule -B -S "/tmp/var/lib/selinux"
       # Write the HLL version of puppet and the CIL version of wireshark
       # modules at priority 400 to the current working directory
       $ semodule -X 400 --hll -E puppet --cil -E wireshark

SEE ALSO         top

       checkmodule(8), semodule_package(8)

AUTHORS         top

       This manual page was written by Dan Walsh <>.
       The program was written by Karl MacMillan <>, Joshua Brindle <>, Jason Tang <>

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository
       ⟨⟩ on 2020-07-14.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2020-07-10.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not part
       of the original manual page), send a mail to

Security Enhanced Linux           Nov 2005                       SEMODULE(8)

Pages that refer to this page: file_contexts(5)file_contexts.homedirs(5)file_contexts.local(5)file_contexts.subs(5)file_contexts.subs_dist(5)selabel_file(5)genhomedircon(8)semanage-module(8)