We've learned how to create SELinux policies in the previous recipe. This recipe will show you how to apply your newly created SELinux policies.
Getting ready
In order to apply a policy, we need a policy package file (pp). This can be obtained by parsing AVC denials to audit2allow or compiling your own policy package file, as explained in the Create SELinux policies recipe.
How to do it...
Follow these steps:
Activate the policy (this can take quite a while, depending on the number of policies applied to your system) by running the following command:
~# semodule -i example_policy.pp~#
Next, verify that the policy is actually activated via these commands:
When executing the semodule command, the policy file is copied to /etc/selinux/targeted/modules/active/modules/, and the complete SELinux policy is recompiled and applied.
Tip
Be careful when applying custom-made policies as these may allow more access than required!
There's more…
To remove policies, execute the following command:
~# semodule -r example_policy~#
This is particularly practical when you want to test the effect with and without the policy.
There's also a way to upgrade the module without removing it first, which is as follows:
~# semodule -u example_policy~#
See also
Refer to the man page for semodule (8) for more information.