tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_external_selinux/policycoreutils/semodule/semodule.8
Yuli Khodorkovskiy 65c6325271 policycoreutils/semodule: update semodule to allow extracting modules 
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.

If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.

If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.

Examples:

Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.

    semodule --cil --extract wireshark

Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.

    semodule -E wireshark

Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.

    semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 10:59:44 -04:00

132 lines
3.7 KiB
Groff
Raw Blame History

.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
.SH NAME
semodule \- Manage SELinux policy modules.
.SH SYNOPSIS
.B semodule [options]... MODE [MODES]...
.br
.SH DESCRIPTION
.PP
semodule is the tool used to manage SELinux policy modules,
including installing, upgrading, listing and removing modules.
semodule may also be used to force a rebuild of policy from the
module store and/or to force a reload of policy without performing
any other transaction. semodule acts on module packages created
by semodule_package. Conventionally, these files have a .pp suffix
(policy package), although this is not mandated in any way.
.SH "OPTIONS"
.TP
.B \-R, \-\-reload
force a reload of policy
.TP
.B \-B, \-\-build
force a rebuild of policy (also reloads unless \-n is used)
.TP
.B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
.TP
.B \-i,\-\-install=MODULE_PKG
install/replace a module package
.TP
.B \-u,\-\-upgrade=MODULE_PKG
deprecated, alias for --install
.TP
.B \-b,\-\-base=MODULE_PKG
deprecated, alias for --install
.TP
.B \-r,\-\-remove=MODULE_NAME
remove existing module
.TP
.B \-l,\-\-list-modules=[KIND]
display list of installed modules (other than base)
.TP
.B \-E,\-\-extract=MODULE_PKG
Extract a module from the store as an HLL or CIL file to the current directory.
A module is extracted as HLL by default. The name of the module written is
<module-name>.<lang_ext>
.TP
.B KIND:
.TP
standard
list highest priority, enabled, non-base modules
.TP
full
list all modules
.TP
.B \-X,\-\-priority=PRIORITY
set priority for following operations (1-999)
.TP
.B \-e,\-\-enabled=MODULE_NAME
enable module
.TP
.B \-d,\-\-disable=MODULE_NAME
disable module
.TP
.B \-s,\-\-store
name of the store to operate on
.TP
.B \-n,\-\-noreload,\-N
do not reload policy after commit
.TP
.B \-h,\-\-help
prints help message and quit
.TP
.B \-P,\-\-preserve_tunables
Preserve tunables in policy
.TP
.B \-C,\-\-ignore-module-cache
Recompile CIL modules built from HLL files
.TP
.B \-p,\-\-path
Use an alternate path for the policy root
.TP
.B \-S,\-\-store-path
Use an alternate path for the policy store root
.TP
.B \-v,\-\-verbose
be verbose
.TP
.B \-c,\-\-cil
Extract module as a CIL file. This only affects the \-\-extract option.
.TP
.B \-H,\-\-hll
Extract module as an HLL file. This only affects the \-\-extract option.
.SH EXAMPLE
.nf
# Install or replace a base policy package.
$ semodule \-b base.pp
# Install or replace a non-base policy package.
$ semodule \-i httpd.pp
# List non-base modules.
$ semodule \-l
# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
$ semodule \-DB
# Turn "dontaudit" rules back on.
$ semodule \-B
# Install or replace all non-base modules in the current directory.
$ semodule \-i *.pp
# Install or replace all modules in the current directory.
$ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i
# Disable a module.
$ semodule \-d alsa
# Install a module at a specific priority.
$ semodule \-X 100 \-i alsa.pp
# List all modules.
$ semodule \-l full
# Set an alternate path for the policy root
$ semodule \-B \-p "/tmp"
# Set an alternate path for the policy store root
$ semodule \-B \-S "/tmp/var/lib/selinux"
# Write the HLL version of puppet and the CIL version of wireshark
# modules at priority 400 to the current working directory
$ semodule \-X 400 \-g wireshark \-\-cil \-g puppet \-\-hll
.fi
.SH SEE ALSO
.B checkmodule(8), semodule_package(8)
.SH AUTHORS
.nf
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>, Jason Tang <jtang@tresys.com>
Reference in a new issue View git blame Copy permalink