Product SiteDocumentation Site

5.3. Prioritizing SELinux Policy Modules

In Fedora 23, the SELinux module storage in /var/lib/selinux allows using a priority on SELinux modules. Run the following command as root to show two module directories with a different priority:
~]# ls /var/lib/selinux/targeted/active/modules
100  400  disabled
The default priority and priority used in the packages of SELinux policy is 100, so you can find most of the SELinux modules organized in the directory /var/lib/selinux/targeted/active/modules/100.
To overwrite an existing module with a modified module, prioritize the new module. The highest priority wins.
Example 5.1. Using SELinux Policy Modules Priority
Prepare a new module with modified file context. Install the module with the semodule -i command and set the priority of the module to 400. We use sandbox.pp in the following example.
~]# semodule -X 400 -i sandbox.pp
~]# semodule --list-modules=full | grep sandbox
400 sandbox           pp  
100 sandbox           pp
To return back to the default module, run the semodule -r command as root:
~]# semodule -X 400 -r sandbox
libsemanage.semanage_direct_remove_key: sandbox module at priority 100 is now active.