Ask Your Question

How do SElinux module files .pp work?

asked 2015-01-18 07:51:59 -0500

theonlyandy gravatar image

Hi there.

I'm just wondering how these policy package files are working, I'm a Fedora novice.

The audit tool always tells you to f.e.

grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

Are the policies from this mypol.pp file added to some global configuration? Or will SElinux attempt to add the module from the files on reboot?

So if I use the above file twice, will the second call of semodule -i overwrite the policies of the first call?

Also, if I delete the file, well the module still be there? How can I check?

Thanks for a quick introduction.

edit retag flag offensive close merge delete


Point is that the manpages don't answer my questions. Isn't this what this platform is for? Thanks for the Wiki link, I'll take a look at the pages.

theonlyandy gravatar imagetheonlyandy ( 2015-01-21 11:13:26 -0500 )edit

My understanding is that this forum is to help people with the practical details of understanding and using Fedora, rather than the theoretical underpinnings. If you want to understand what's going on "under the hood" with SELinux, follow the link in tonoic's answer, or join the project's mailing list. Feel free to ask questions here about how to do something, but don't expect us to provide lectures on what the commands do or why things are set up the way they are. Good luck in your quest for deeper understanding of SELinux!

sideburns gravatar imagesideburns ( 2015-01-21 15:21:29 -0500 )edit

That was my sentiment as well, at first. However, upon further deliberation, I can see some merit in the question; as the complexity of SELinux is vast and is only sure to be growing, it may be worthwhile to facilitate finding references, resources, and documentation for it. After all, can't knock a guy who's trying to gain a better understanding of a security system in an increasingly insecure digital world.

ILMostro gravatar imageILMostro ( 2015-01-21 15:31:46 -0500 )edit

He's already received a pointer to what he probably needs and seems to have rejected it. I have no problem with helping him find the information he needs, or answering specific questions, but I don't think that this is the right place for a tutorial. Please note that I'm not closing the question as not Fedora-related, because I'd like to help the poster get the information he needs.

sideburns gravatar imagesideburns ( 2015-01-21 18:56:10 -0500 )edit

4 Answers

Sort by » oldest newest most voted

answered 2015-01-20 08:19:10 -0500

theonlyandy gravatar image

audit2allow -M mypol creates a package file named 'mypol' which also defines a package named 'mypol' when loaded.

semodule -i mypol.pp creates a package with that name.

If you run audit2allow -M mypol and semodule -i mypol.pp a second time, the already existing module 'mypol' is being overwritten.

So in the end you need to either use a different module name each time you want to add a rule – or you manage to collect all necessary rules in this one mypol.pp file.

As I understand it by now, the module persists without the created .pp file.

edit flag offensive delete link more


The current version of the audit tool will now use the blocked application's name in the recommended command. That way they avoid users overwriting rules they already created.

theonlyandy gravatar imagetheonlyandy ( 2016-12-13 08:32:56 -0500 )edit

answered 2015-01-19 02:21:44 -0500

tonioc gravatar image

Before using audit2allow, you first need to understand why you got a denial, and make sure that adding a new rule is the good way to go. Indeed, a denial means that for some reason, some process is violating an access rule: frequently caused by bad file type.

If you blindly run audit2allow / semodule, you'll fix the issue, but in a way that opens doors intended to be kept closed.

Detailed information on SElinux concepts :

edit flag offensive delete link more


Thanks for the advise, but this misses the question

theonlyandy gravatar imagetheonlyandy ( 2015-01-20 08:17:38 -0500 )edit

answered 2015-01-20 13:47:16 -0500

updated 2015-01-21 14:51:03 -0500

I'd suggest you try for starters to learn about the underlying mechanics of SELinux. There are plenty of other sources of information online as well as your manpages.


sudo yum install selinux-policy-doc

to install the SELinux policy documentation package. The URL in the package description also points to the github page for the SELinux Reference Policy project. Their Getting Started page/tutorial should be of particular use to you.

edit flag offensive delete link more

answered 2015-01-18 19:04:32 -0500

sideburns gravatar image

If you want to understand what's going on, run these two commands:

man audit2allow
man semodule

That's what I just did and I learned that running the output from grep through audit2allow -M generates a "loadable module package" called "mypol.pp. Running semodule -i installs that module as part of your computer's SELinux policy. Welcome to ask.fedora, and I hope that the above information is what you were looking for.

edit flag offensive delete link more


Thanks, but sorry, this is not answering the concrete questions

theonlyandy gravatar imagetheonlyandy ( 2015-01-20 08:22:07 -0500 )edit

Question Tools

1 follower


Asked: 2015-01-18 07:51:59 -0500

Seen: 2,359 times

Last updated: Jan 21 '15