Enhancing SELinux policies
Not all situations can be perfectly defined by policy writers. At times, we will need to make modifications to the SELinux policy. As long as the changes involve adding rules, we can create additional SELinux modules to enhance the policy. If the change is more intrusive, we might need to remove an existing SELinux module and replace it with an updated one.
Listing policy modules
SELinux policy modules are, as mentioned at the beginning of this book, sets of SELinux rules that can be loaded and unloaded. These modules, with .pp or .cil suffixes, can be loaded and unloaded as needed by the administrator. Once loaded, the policy module is part of the SELinux policy store and will be loaded even after a system reboot.
To list currently loaded SELinux policy modules, it is recommended to use the semodule command. Depending on the version of the SELinux user space tools (in this case, the version of the policycoreutils package), listing modules will show module versions...
