On Mon, Feb 24, 2014 at 10:08:52AM -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/24/2014 04:49 AM, Maciej Lasyk wrote:
On Mon, Feb 24, 2014 at 09:52:02AM +0100, Dominick Grift wrote:
On Mon, 2014-02-24 at 00:44 +0100, Maciej Lasyk wrote:
Hi guys,
Let's say that I have file /etc/selinux/targeted/modules/active/modules/lvm.pp
What would be the easiest way to view the policy that this file contains? Normally when creating policy myself I firstly create .te file which contains my desired policy rules.
But how could I know how the policy looks like for already created and loaded policies? Let's stick to that lvm.pp as the example.
Thanks for your help,
You can use the semodule_unpackage command to extract the policy package (.pp) See man semodule_unpackage
Then you can disassemble the extracted module (.mod) with the (se)dismod command ( i do not believe there is a manual for that program but its for example sedismod lvm.mod (or something))
The (se)dismod program has a menu that allows you to query most of the modules content (what waas in the lvm.te) file
The program is a bit unfriendly an rough on the edges but it does help
I already tried with semodule_unpackage (found about it here: http://serverfault.com/questions/321301/how-do-i-view-the-contents-of-a-seli...
) but unfortunately every time I try to unpack *any* module from
targeted active modules I get:
root:modules/ # semodule_unpackage lvm.pp lvm.mod libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x39685a42 semodule_unpackage: Error while reading policy module from lvm.pp
Stracing this semodule_unpackage gave me nothing, so I stucked here.
Is there any repo that I could browse .te files from the official Fedora / targeted policy?
Maciek
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Usually sesearch is a better solution then just looking at the source. The source is just going to show you the interfaces called, where is sesearch will show you the results.
sesearch -A -s lvm_t
Will show you every allow rule that effects the lvm_t process domain.
Great - thanks - that really did the job :)
On Mon, 2014-02-24 at 16:50 +0100, Maciej Lasyk wrote:
<snip>
Let's say that I have file /etc/selinux/targeted/modules/active/modules/lvm.pp
What would be the easiest way to view the policy that this file contains?
But how could I know how the policy looks like for already created and loaded policies? Let's stick to that lvm.pp as the example.
<snip>
Usually sesearch is a better solution then just looking at the source. The source is just going to show you the interfaces called, where is sesearch will show you the results.
sesearch -A -s lvm_t
Will show you every allow rule that effects the lvm_t process domain.
Great - thanks - that really did the job :)
Glad to hear that it helped you get the job done but for the record:
Although the answer that dwalsh gave is one hundred percent correct. It is not the answer to your initial question.
You do no not know that lvm_t is declared in lvm.pp. Sure in this case the type is consistent with module name but that is not always the case. Also who's to say that there aren't any other types declared in this module (spoiler: there are)?
Not to mention that a typical .pp policy package also encloses a .fc file context file.
semodule_unpackage should, in my view, just be fixed to deal with this checksum issue. Also i believe that currently semodule_unpackage tool cannot properly extract the enclosed (.fc) file context file.
These are, in my view, actually a couple of bugs that would improve usability a lot when fixed. Some how it does not get the attention it deserves.
On Mon, Feb 24, 2014 at 06:37:38PM +0100, Dominick Grift wrote:
On Mon, 2014-02-24 at 16:50 +0100, Maciej Lasyk wrote:
<snip>
Let's say that I have file /etc/selinux/targeted/modules/active/modules/lvm.pp
What would be the easiest way to view the policy that this file contains?
But how could I know how the policy looks like for already created and loaded policies? Let's stick to that lvm.pp as the example.
<snip>
Usually sesearch is a better solution then just looking at the source. The source is just going to show you the interfaces called, where is sesearch will show you the results.
sesearch -A -s lvm_t
Will show you every allow rule that effects the lvm_t process domain.
Great - thanks - that really did the job :)
Glad to hear that it helped you get the job done but for the record:
Although the answer that dwalsh gave is one hundred percent correct. It is not the answer to your initial question.
You do no not know that lvm_t is declared in lvm.pp. Sure in this case the type is consistent with module name but that is not always the case. Also who's to say that there aren't any other types declared in this module (spoiler: there are)?
Not to mention that a typical .pp policy package also encloses a .fc file context file.
semodule_unpackage should, in my view, just be fixed to deal with this checksum issue. Also i believe that currently semodule_unpackage tool cannot properly extract the enclosed (.fc) file context file.
These are, in my view, actually a couple of bugs that would improve usability a lot when fixed. Some how it does not get the attention it deserves.
Hmm I couldn't agree more. Honestly after you gave me guys URL to the SELinux repo @Fedora than I grepped for that I looked for and found exactly what you just wrote (that there might be inconsistencies in module names or there might be other types declarations in modules). So thanks for this explanation - I will keep that in mind while using Dan's method.
selinux@lists.fedoraproject.org
-
Dominick Grift -
Maciej Lasyk