4.12. Prioritizing and Disabling SELinux Policy Modules
The SELinux module storage in
/etc/selinux/
allows using a priority on SELinux modules. Enter the following command as root to show two module directories with a different priority:
~]#
ls /etc/selinux/targeted/active/modules
100 400 disabled
While the default priority used by
semodule
utility is 400, the priority used in selinux-policy packages is 100, so you can find most of the SELinux modules installed with the priority 100.
You can override an existing module with a modified module with the same name using a higher priority. When there are more modules with the same name and different priorities, only a module with the highest priority is used when the policy is built.
Example 4.1. Using SELinux Policy Modules Priority
Prepare a new module with modified file context. Install the module with the
semodule -i
command and set the priority of the module to 400. We use sandbox.pp
in the following example.
~]#
semodule -X 400 -i sandbox.pp
~]#
semodule --list-modules=full | grep sandbox
400 sandbox pp 100 sandbox pp
To return back to the default module, enter the
semodule -r
command as root:
~]#
semodule -X 400 -r sandbox
libsemanage.semanage_direct_remove_key: sandbox module at priority 100 is now active.
Disabling a System Policy Module
To disable a
system policy
module, enter the following command as root:
semodule -d MODULE_NAME
Warning
If you remove a
system policy
module using the semodule -r
command, it is deleted on your system's storage and you cannot load it again. To avoid unnecessary reinstallations of the selinux-policy-targeted package for restoring all system policy
modules, use the semodule -d
command instead.