How to Remove SELinux Module in CentOS: Fixing “Can’t load policy” Error


2 views

When attempting to remove an SELinux module on CentOS 6.8, you might encounter the frustrating error:

SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.24: Invalid argument
/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
semodule: Failed!

The error typically occurs due to:

  • Corrupted SELinux policy file (policy.24)
  • Permission issues on policy files
  • Mismatch between installed module and active policy
  • SELinux policy store corruption

Follow these steps to properly remove the problematic SELinux module:

# First, check module existence
semodule -l | grep opendkim

# Force rebuild the policy store
semanage -o /tmp/selinux_policy_backup.pp
semanage -i /tmp/selinux_policy_backup.pp

# Alternatively, try removing with --ignore_missing
semodule --ignore_missing -r opendkim

# If still failing, try direct removal from module store
rm -f /etc/selinux/targeted/modules/active/modules/opendkim.*
rm -f /etc/selinux/targeted/modules/active/modules/opendkim.pp

For persistent cases:

# Check SELinux status
sestatus

# Rebuild entire policy (warning: takes time)
make -C /etc/selinux/targeted/policy/ clean
make -C /etc/selinux/targeted/policy/

# Restorecon on policy files
restorecon -Rv /etc/selinux/targeted

The delay occurs because SELinux attempts multiple times to reload the policy before giving up. You can verify this in the audit logs:

grep selinux /var/log/audit/audit.log | tail -20

This timeout is hardcoded in the SELinux policy management tools and varies between CentOS versions.

  • Always verify module files before installation
  • Keep regular backups of working policy files
  • Consider using semodule -i with --checksum option
  • Maintain sufficient disk space in /etc/selinux

When working with SELinux on CentOS 6.8, removing policy modules isn't always straightforward. The error you're seeing indicates a fundamental policy loading issue rather than just a module removal problem.

The key error message reveals the problem:

SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.24: Invalid argument
/sbin/load_policy: Can't load policy: Invalid argument

This typically occurs when:

  • The policy file is corrupted
  • SELinux is in a transitional state
  • There are module dependencies preventing removal

Try this step-by-step method to properly remove the module:

# First check if the module is actually loaded
semodule -l | grep opendkim

# Disable SELinux temporarily (sets to permissive mode)
setenforce 0

# Attempt removal again with verbose output
semodule -v -r opendkim

# Alternative force removal if needed
semodule --disable_dontaudit -r opendkim

# Rebuild the policy if still having issues
semodule -B

For persistent cases, we need deeper intervention:

# Check module dependencies
sesearch -A -s opendkim_t

# Manually remove from active modules directory
rm -i /etc/selinux/targeted/modules/active/modules/opendkim.*

# Clean up the policy store
semanage module -l | grep opendkim
semanage module -d opendkim

# Full policy rebuild (may take several minutes)
make -C /etc/selinux/targeted/policy/

To avoid similar situations:

  • Always check module dependencies before removal
  • Consider using semodule -i with --priority for better management
  • Maintain regular backups of your SELinux policy directory

For reference, here's how to properly install a module that can be cleanly removed later:

semodule -i opendkim.pp --priority 400