policycoreutils/semodule/semodule.8 - platform/external/selinux - Git at Google

 .TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
 .SH NAME
 semodule \- Manage SELinux policy modules.

 .SH SYNOPSIS
 .B semodule [options]... MODE [MODES]...
 .br
 .SH DESCRIPTION
 .PP
 semodule is the tool used to manage SELinux policy modules,
 including installing, upgrading, listing and removing modules.
 semodule may also be used to force a rebuild of policy from the
 module store and/or to force a reload of policy without performing
 any other transaction.  semodule acts on module packages created
 by semodule_package.  Conventionally, these files have a .pp suffix
 (policy package), although this is not mandated in any way.

 .SH "OPTIONS"
 .TP
 .B \-R, \-\-reload
 force a reload of policy
 .TP
 .B \-B, \-\-build
 force a rebuild of policy (also reloads unless -n is used)
 .TP
 .B \-D, \-\-disable_dontaudit
 Temporarily remove dontaudits from policy.  Reverts whenever policy is rebuilt
 .TP
 .B \-i,\-\-install=MODULE_PKG
 install/replace a module package
 .TP
 .B  \-u,\-\-upgrade=MODULE_PKG
 upgrade an existing module package
 .TP
 .B  \-b,\-\-base=MODULE_PKG
 install/replace base module package
 .TP
 .B  \-r,\-\-remove=MODULE_NAME
 remove existing module
 .TP
 .B  \-l,\-\-list-modules
 display list of installed modules (other than base)
 .TP
 .B  \-s,\-\-store
 name of the store to operate on
 .TP
 .B  \-n,\-\-noreload
 do not reload policy after commit
 .TP
 .B  \-h,\-\-help
 prints help message and quit
 .TP
 .B  \-v,\-\-verbose
 be verbose

 .SH EXAMPLE
 .nf
 # Install or replace a base policy package.
 $ semodule -b base.pp
 # Install or replace a non-base policy package.
 $ semodule -i httpd.pp
 # List non-base modules.
 $ semodule -l
 # Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
 $ semodule -DB
 # Turn "dontaudit" rules back on.
 $ semodule -B
 # Install or replace all non-base modules in the current directory.
 $ semodule -i *.pp
 # Install or replace all modules in the current directory.
 $ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i
 .fi

 .SH SEE ALSO
 .B checkmodule(8), semodule_package(8)
 .SH AUTHORS
 .nf
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>, Jason Tang <jtang@tresys.com>
	.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
	.SH NAME
	semodule \- Manage SELinux policy modules.

	.SH SYNOPSIS
	.B semodule [options]... MODE [MODES]...
	.br
	.SH DESCRIPTION
	.PP
	semodule is the tool used to manage SELinux policy modules,
	including installing, upgrading, listing and removing modules.
	semodule may also be used to force a rebuild of policy from the
	module store and/or to force a reload of policy without performing
	any other transaction. semodule acts on module packages created
	by semodule_package. Conventionally, these files have a .pp suffix
	(policy package), although this is not mandated in any way.

	.SH "OPTIONS"
	.TP
	.B \-R, \-\-reload
	force a reload of policy
	.TP
	.B \-B, \-\-build
	force a rebuild of policy (also reloads unless -n is used)
	.TP
	.B \-D, \-\-disable_dontaudit
	Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
	.TP
	.B \-i,\-\-install=MODULE_PKG
	install/replace a module package
	.TP
	.B \-u,\-\-upgrade=MODULE_PKG
	upgrade an existing module package
	.TP
	.B \-b,\-\-base=MODULE_PKG
	install/replace base module package
	.TP
	.B \-r,\-\-remove=MODULE_NAME
	remove existing module
	.TP
	.B \-l,\-\-list-modules
	display list of installed modules (other than base)
	.TP
	.B \-s,\-\-store
	name of the store to operate on
	.TP
	.B \-n,\-\-noreload
	do not reload policy after commit
	.TP
	.B \-h,\-\-help
	prints help message and quit
	.TP
	.B \-v,\-\-verbose
	be verbose

	.SH EXAMPLE
	.nf
	# Install or replace a base policy package.
	$ semodule -b base.pp
	# Install or replace a non-base policy package.
	$ semodule -i httpd.pp
	# List non-base modules.
	$ semodule -l
	# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
	$ semodule -DB
	# Turn "dontaudit" rules back on.
	$ semodule -B
	# Install or replace all non-base modules in the current directory.
	$ semodule -i *.pp
	# Install or replace all modules in the current directory.
	$ ls *.pp \| grep -Ev "base.pp\|enableaudit.pp" \| xargs /usr/sbin/semodule -b base.pp -i
	.fi

	.SH SEE ALSO
	.B checkmodule(8), semodule_package(8)
	.SH AUTHORS
	.nf
	This manual page was written by Dan Walsh <dwalsh@redhat.com>.
	The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>, Jason Tang <jtang@tresys.com>