How to get a .te file from an existing .pp file?

Stephen Smalley sds at tycho.nsa.gov
Mon Apr 9 18:04:37 UTC 2012


On Mon, 2012-04-09 at 19:49 +0200, Dominick Grift wrote:
> On Mon, 2012-04-09 at 19:38 +0200, Gabriele Pohl wrote:
> > Hi all,
> > 
> > I've installed a software from the sources on a CentOS 6.2 box
> > and would like to setup a SELinux policy for it.
> > 
> > As I already use the software on my Fedora 15 server
> > Source RPM  : BackupPC-3.2.1-7.fc15.src.rpm
> > I would like to use the wisdom from the existing policy module:
> > /usr/share/selinux/packages/BackupPC/BackupPC.pp
> > 
> > I found this forum thread:
> > http://www.linuxquestions.org/questions/showthread.php?p=4548316#post4548316
> > 
> > 
> > which ended with the hint:
> > "Use the tools from the setools package."
> > 
> > I tried this, but wasn't successful.
> > All the time running into errors telling me,
> > that these cannot open the policy file,
> > as it is no "base policy"
> > 
> > Can you help with instructions?
> > Or tell me, where to find the .te file of the Fedora package?
> > 
> > Thanks in advance and kind regards
> > 
> > Gabriele
> > 
> > PS: I found this instruction on how to generate the .pp
> > from the audit messages. So if there is really no way
> > to /decompile/ the .pp I will go this way:
> > http://www.advisorbits.com/2011/03/backuppc_on_centos_5_selinux_fix.html
> 
> There is currently no way to disassemble .pp files as far as i know

You can get most of the way there via semodule_unpackage and sedismod.
But even that will just give you a low level dump of the rules, not the
original .te sources, so it is better to get the original .te file if
you can.  sedismod could use some work to produce output that can be
directly placed in a .te file; it was originally just created as a
developer/debugging tool, not for this purpose.

semodule_unpackage sources have been posted a few times and are now part
of policycoreutils in recent Fedora.  sedismod is part of checkpolicy.

-- 
Stephen Smalley
National Security Agency



More information about the selinux mailing list