Show Table of Contents
4.12. Prioritizing and Disabling SELinux Policy Modules
The SELinux module storage in
/etc/selinux/ allows using a priority on SELinux modules. Enter the following command as root to show two module directories with a different priority:
~]#ls /etc/selinux/targeted/active/modules100 400 disabled
While the default priority used by
semodule utility is 400, the priority used in selinux-policy packages is 100, so you can find most of the SELinux modules installed with the priority 100.
You can override an existing module with a modified module with the same name using a higher priority. When there are more modules with the same name and different priorities, only a module with the highest priority is used when the policy is built.
Example 4.1. Using SELinux Policy Modules Priority
Prepare a new module with modified file context. Install the module with the
semodule -i command and set the priority of the module to 400. We use sandbox.pp in the following example.
~]#semodule -X 400 -i sandbox.pp~]#semodule --list-modules=full | grep sandbox400 sandbox pp 100 sandbox pp
To return back to the default module, enter the
semodule -r command as root:
~]#semodule -X 400 -r sandboxlibsemanage.semanage_direct_remove_key: sandbox module at priority 100 is now active.
Disabling a System Policy Module
To disable a system policy module, enter the following command as root:
semodule -d MODULE_NAMEWarning
If you remove a system policy module using the
semodule -r command, it is deleted on your system's storage and you cannot load it again. To avoid unnecessary reinstallations of the selinux-policy-targeted package for restoring all system policy modules, use the semodule -d command instead.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.