May 9th, 2006

I am getting questions on Module handling so I figured I would do more clarification.

First lets talk about the base module policy package (base.pp) . In the new modular policy there can be one and only one "base" policy module loaded at a time. In FC5 we actually ship two "base" policy packages for each policy type "/usr/share/selinux/TYPE/base.pp and /usr/share/selinux/TYPE/enableaudit.pp". These two packages are identical except that enableaudit has all of the dontaudit rules removed.

The base module all of the "core" system componants of policy. It contains the definitions of for the core file types including bin_t, etc_t, lib_t ... It also includes the major infrastructure modules. We include all of the core daemons domains. Kernel_t, udev_t, crond_t, init_t ... Finally we include the user domains in the base policy. unconfined_t, user_t, sysadm_t ...

At this point the policy developer can get creative in what he packages in the "base" package. Up to now we have packaged all of Red Hat's policy for targeted/MLS in the base policy module. In strict policy I have broken the package up into 147 different policy packages, with only the core policy in the base module.

So I as a user decide to build a policy module using audit2allow, or /usr/share/selinux/devel/* or one from scratch. I execute the semodule -i mypolicy.pp command. This command actually grabs all of the previously installed pp files including the base.pp and combines them together to create a new kernel.20 policy file. The mypolicy.pp file gets copeied to /etc/selinux/TYPE/modules/active/modules directory. So you no longer need to keep it on disk. Since the new policy package was actually included in the kernel.20 file, it will be "persistent". It will survive a reboot.

If you reload the base policy package or rpm installs an updated package, you would execute semodule -b /usr/share/selinux/TYPE/base.pp, which would replace the base.pp file in the current kernel.20 file but would also combine all of the other policy modules that have been loaded.

You can see the other policy modules that are loaded by executing "semodule -l"

semodule -l
clamav 1.0.0
w3c 1.2.1
xfs 1.0

If you notice, they are versioned. So if you use semodule -u to update a package it will check the version of the new policy package versus the one on the machine and only update if the target is newer.

If you want to remove a policy package you would execute semodule -r policyname. So if I wanted to remove w3c. I would execute

semodule -r w3c

semodule -l
clamav 1.0.0
xfs 1.0

If I wanted to return to the original pristine policy of the system, I would have to remove each module one by one.

Remember that just because a module is loaded does not mean the file context was updated. So if you are adding policy for a particular daemon. You would need to install the policy and then use restorecon to fix the file context.

fixfiles -R RPMPACKAGE restore

could also be used, if this is for a rpm package.