How to get a .te file from an existing .pp file?

Dominick Grift dominick.grift at gmail.com
Mon Apr 9 17:49:41 UTC 2012


On Mon, 2012-04-09 at 19:38 +0200, Gabriele Pohl wrote:
> Hi all,
> 
> I've installed a software from the sources on a CentOS 6.2 box
> and would like to setup a SELinux policy for it.
> 
> As I already use the software on my Fedora 15 server
> Source RPM  : BackupPC-3.2.1-7.fc15.src.rpm
> I would like to use the wisdom from the existing policy module:
> /usr/share/selinux/packages/BackupPC/BackupPC.pp
> 
> I found this forum thread:
> http://www.linuxquestions.org/questions/showthread.php?p=4548316#post4548316
> 
> 
> which ended with the hint:
> "Use the tools from the setools package."
> 
> I tried this, but wasn't successful.
> All the time running into errors telling me,
> that these cannot open the policy file,
> as it is no "base policy"
> 
> Can you help with instructions?
> Or tell me, where to find the .te file of the Fedora package?
> 
> Thanks in advance and kind regards
> 
> Gabriele
> 
> PS: I found this instruction on how to generate the .pp
> from the audit messages. So if there is really no way
> to /decompile/ the .pp I will go this way:
> http://www.advisorbits.com/2011/03/backuppc_on_centos_5_selinux_fix.html

There is currently no way to disassemble .pp files as far as i know

See if the source is enclosed with the source rpm.

Other options are:

1. disable that backuppc policy module (semodle -d BackupPC) and write
your own (backuppc pretty much needs full access to the file system
often and it needs many permission so its not easy to write policy for.

2. Extent the BackupPC module. Use [ ... ] | semodule -M mybackuppc;
sudo semodule -i mybackuppc.pp or do it manually create a mybackuppc.te
file, declare a policy module, import requires types, attributes etc.
add policy rules and build and install (make
-f /usr/share/selinux/devel/Makefile mybackuppc.pp; sudo semodule -i
mybackuppc.pp

3. make backuppc permissive (unprotected) semanage permissive -a
backuppc_t

4. disable the module which causes selinux to run it in the init script
domain which is unprotected/unrestricted (semodule -d BackupPC

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux




More information about the selinux mailing list