introduction
The new SELinux modules storage in /var/lib/selinux/ allows to use priority on SELinux modules.
# ls /var/lib/selinux/targeted/active/modules
100 400 disabled
The default priority and priority used in selinux-policy-*** packages is 100.
# ls /var/lib/selinux/targeted/active/modules/100 | wc -l
396
It means that a user can overwrite an existing module with a module she modified. The highest priority wins.
# semodule --list-modules=full | grep sandbox
400 sandbox pp
100 sandbox pp
example
Lets say that we change the default SELinux context for /var/www/html from httpd_sys_content_t to httpd_sys_rw_content_t (it's only example, not a good idea)
apache.pp
we prepare a new apache.pp module with modified file context for /var/www
$ dnf download --source selinux-policy
$ rpm -i selinux-policy-3.13.1-127.fc23.3.src.rpm
$ rpmbuild -bp ~/rpmbuild/SPECS/selinux-policy.spec
$ cd ~/rpmbuild/BUILD/serefpolicy-contrib-3.13.1
$ vim apache.fc
---
-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
---
$ make -f /usr/share/selinux/devel/Makefile apache.pp
install the module
$ sudo matchpathcon /var/www
/var/www system_u:object_r:httpd_sys_content_t:s0
$ sudo semodule -X 400 -i apache.pp
$ sudo semodule --list=full | grep apache
400 apache pp
100 apache pp
$ sudo matchpathcon /var/www
/var/www system_u:object_r:httpd_sys_rw_content_t:s0
and return back to default
$ sudo semodule -X 400 -r apache
libsemanage.semanage_direct_remove_key: apache module at priority 100 is now active.
$ sudo matchpathcon /var/www
/var/www system_u:object_r:httpd_sys_content_t:s0
note
You need to have the latest release 20150202 of SELinux userspace tools and selinux-policy packages with migrated storage. You can find everything in plautrba/selinux repository.