Hi guys,
Let's say that I have file /etc/selinux/targeted/modules/active/modules/lvm.pp
What would be the easiest way to view the policy that this file contains? Normally when creating policy myself I firstly create .te file which contains my desired policy rules.
But how could I know how the policy looks like for already created and loaded policies? Let's stick to that lvm.pp as the example.
Thanks for your help,
On Mon, 2014-02-24 at 00:44 +0100, Maciej Lasyk wrote:
Hi guys,
Let's say that I have file /etc/selinux/targeted/modules/active/modules/lvm.pp
What would be the easiest way to view the policy that this file contains? Normally when creating policy myself I firstly create .te file which contains my desired policy rules.
But how could I know how the policy looks like for already created and loaded policies? Let's stick to that lvm.pp as the example.
Thanks for your help,
You can use the semodule_unpackage command to extract the policy package (.pp) See man semodule_unpackage
Then you can disassemble the extracted module (.mod) with the (se)dismod command ( i do not believe there is a manual for that program but its for example sedismod lvm.mod (or something))
The (se)dismod program has a menu that allows you to query most of the modules content (what waas in the lvm.te) file
The program is a bit unfriendly an rough on the edges but it does help
On Mon, Feb 24, 2014 at 09:52:02AM +0100, Dominick Grift wrote:
On Mon, 2014-02-24 at 00:44 +0100, Maciej Lasyk wrote:
Hi guys,
Let's say that I have file /etc/selinux/targeted/modules/active/modules/lvm.pp
What would be the easiest way to view the policy that this file contains? Normally when creating policy myself I firstly create .te file which contains my desired policy rules.
But how could I know how the policy looks like for already created and loaded policies? Let's stick to that lvm.pp as the example.
Thanks for your help,
You can use the semodule_unpackage command to extract the policy package (.pp) See man semodule_unpackage
Then you can disassemble the extracted module (.mod) with the (se)dismod command ( i do not believe there is a manual for that program but its for example sedismod lvm.mod (or something))
The (se)dismod program has a menu that allows you to query most of the modules content (what waas in the lvm.te) file
The program is a bit unfriendly an rough on the edges but it does help
I already tried with semodule_unpackage (found about it here: http://serverfault.com/questions/321301/how-do-i-view-the-contents-of-a-seli... ) but unfortunately every time I try to unpack *any* module from targeted active modules I get:
root:modules/ # semodule_unpackage lvm.pp lvm.mod libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x39685a42 semodule_unpackage: Error while reading policy module from lvm.pp
Stracing this semodule_unpackage gave me nothing, so I stucked here.
Is there any repo that I could browse .te files from the official Fedora / targeted policy?
Maciek
On Mon, 2014-02-24 at 10:49 +0100, Maciej Lasyk wrote:
Is there any repo that I could browse .te files from the official Fedora / targeted policy?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/24/2014 04:49 AM, Maciej Lasyk wrote:
On Mon, Feb 24, 2014 at 09:52:02AM +0100, Dominick Grift wrote:
On Mon, 2014-02-24 at 00:44 +0100, Maciej Lasyk wrote:
Hi guys,
Let's say that I have file /etc/selinux/targeted/modules/active/modules/lvm.pp
What would be the easiest way to view the policy that this file contains? Normally when creating policy myself I firstly create .te file which contains my desired policy rules.
But how could I know how the policy looks like for already created and loaded policies? Let's stick to that lvm.pp as the example.
Thanks for your help,
You can use the semodule_unpackage command to extract the policy package (.pp) See man semodule_unpackage
Then you can disassemble the extracted module (.mod) with the (se)dismod command ( i do not believe there is a manual for that program but its for example sedismod lvm.mod (or something))
The (se)dismod program has a menu that allows you to query most of the modules content (what waas in the lvm.te) file
The program is a bit unfriendly an rough on the edges but it does help
I already tried with semodule_unpackage (found about it here: http://serverfault.com/questions/321301/how-do-i-view-the-contents-of-a-seli...
) but unfortunately every time I try to unpack *any* module from
targeted active modules I get:
root:modules/ # semodule_unpackage lvm.pp lvm.mod libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x39685a42 semodule_unpackage: Error while reading policy module from lvm.pp
Stracing this semodule_unpackage gave me nothing, so I stucked here.
Is there any repo that I could browse .te files from the official Fedora / targeted policy?
Maciek
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Usually sesearch is a better solution then just looking at the source. The source is just going to show you the interfaces called, where is sesearch will show you the results.
sesearch -A -s lvm_t
Will show you every allow rule that effects the lvm_t process domain.
On Mon, 2014-02-24 at 10:49 +0100, Maciej Lasyk wrote:
I already tried with semodule_unpackage (found about it here: http://serverfault.com/questions/321301/how-do-i-view-the-contents-of-a-seli... ) but unfortunately every time I try to unpack *any* module from targeted active modules I get:
root:modules/ # semodule_unpackage lvm.pp lvm.mod libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x39685a42 semodule_unpackage: Error while reading policy module from lvm.pp
Stracing this semodule_unpackage gave me nothing, so I stucked here.
I haven't really tried it myself, but i've been told that, i think, bunzip2 or something like that is able to extract .pp archives.
So if there is some incompatibility between your semodule_unpackage and the archive, you may want to try to extract it using a tool like bunzip2.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/24/2014 10:24 AM, Dominick Grift wrote:
On Mon, 2014-02-24 at 10:49 +0100, Maciej Lasyk wrote:
I already tried with semodule_unpackage (found about it here: http://serverfault.com/questions/321301/how-do-i-view-the-contents-of-a-seli...
) but unfortunately every time I try to unpack *any* module from
targeted active modules I get:
root:modules/ # semodule_unpackage lvm.pp lvm.mod libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x39685a42 semodule_unpackage: Error while reading policy module from lvm.pp
Stracing this semodule_unpackage gave me nothing, so I stucked here.
I haven't really tried it myself, but i've been told that, i think, bunzip2 or something like that is able to extract .pp archives.
So if there is some incompatibility between your semodule_unpackage and the archive, you may want to try to extract it using a tool like bunzip2.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Please open a bugzilla on this.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/24/2014 01:16 PM, Dominick Grift wrote:
On Mon, 2014-02-24 at 10:31 -0500, Daniel J Walsh wrote:
Please open a bugzilla on this.
rhbz#1069329
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
thanks
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Maciej Lasyk