semodule

From RaySoft

semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. semodule may also be used to force a rebuild of policy from the module store and/or to force a reload of policy without performing any other transaction. semodule acts on module packages created by semodule_package. Conventionally, these files have a .pp suffix (policy package), although this is not mandated in any way.[1]

Documentation

Syntax

semodule [PARAMETER ...] MODE [MODE ...]

Parameters

-i PACKAGE, --install=PACKAGE
Install / replace a module PACKAGE.

Examples

Add a SELinux policy to allow a Traefik container to read from /var/run/docker.sock

Scan the log file and report all discovered SELinux issues: 

sealert --analyze '/var/log/audit/audit.log'

Create a SELinux policy for the Traefik container: 

ausearch --comm 'traefik' --raw | audit2allow --module-package='my-traefik'

Install the SELinux policy for the Traefik container: 

semodule --install='my-traefik'

References

  1. man 8 'semodule'
Retrieved from "https://www.raysoft.ch/w/index.php?title=semodule&oldid=41835"