4.12. Prioritizing and Disabling SELinux Policy Modules
The SELinux module storage in
/etc/selinux/ allows using a priority on SELinux modules. Enter the following command as root to show two module directories with a different priority:
~]#ls /etc/selinux/targeted/active/modules100 400 disabled
While the default priority used by
semodule utility is 400, the priority used in selinux-policy packages is 100, so you can find most of the SELinux modules installed with the priority 100.
You can override an existing module with a modified module with the same name using a higher priority. When there are more modules with the same name and different priorities, only a module with the highest priority is used when the policy is built.
Example 4.1. Using SELinux Policy Modules Priority
Prepare a new module with modified file context. Install the module with the
semodule -i command and set the priority of the module to 400. We use sandbox.pp in the following example.
~]#semodule -X 400 -i sandbox.pp~]#semodule --list-modules=full | grep sandbox400 sandbox pp 100 sandbox pp
To return back to the default module, enter the
semodule -r command as root:
~]#semodule -X 400 -r sandboxlibsemanage.semanage_direct_remove_key: sandbox module at priority 100 is now active.
Disabling a System Policy Module
To disable a
system policy module, enter the following command as root:
semodule -d MODULE_NAMEWarning
If you remove a
system policy module using the semodule -r command, it is deleted on your system's storage and you cannot load it again. To avoid unnecessary reinstallations of the selinux-policy-targeted package for restoring all system policy modules, use the semodule -d command instead.
