Knowing policy contents
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 24 15:08:52 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/24/2014 04:49 AM, Maciej Lasyk wrote:
> On Mon, Feb 24, 2014 at 09:52:02AM +0100, Dominick Grift wrote:
>> On Mon, 2014-02-24 at 00:44 +0100, Maciej Lasyk wrote:
>>> Hi guys,
>>>
>>> Let's say that I have file
>>> /etc/selinux/targeted/modules/active/modules/lvm.pp
>>>
>>> What would be the easiest way to view the policy that this file
>>> contains? Normally when creating policy myself I firstly create .te
>>> file which contains my desired policy rules.
>>>
>>> But how could I know how the policy looks like for already created and
>>> loaded policies? Let's stick to that lvm.pp as the example.
>>>
>>> Thanks for your help,
>>
>> You can use the semodule_unpackage command to extract the policy package
>> (.pp) See man semodule_unpackage
>>
>> Then you can disassemble the extracted module (.mod) with the (se)dismod
>> command ( i do not believe there is a manual for that program but its for
>> example sedismod lvm.mod (or something))
>>
>> The (se)dismod program has a menu that allows you to query most of the
>> modules content (what waas in the lvm.te) file
>>
>> The program is a bit unfriendly an rough on the edges but it does help
>
> I already tried with semodule_unpackage (found about it here:
> http://serverfault.com/questions/321301/how-do-i-view-the-contents-of-a-selinux-policy-package
>
>
) but unfortunately every time I try to unpack *any* module from
> targeted active modules I get:
>
> root:modules/ # semodule_unpackage lvm.pp lvm.mod
> libsepol.module_package_read_offsets: wrong magic number for module
> package: expected 0xf97cff8f, got 0x39685a42 semodule_unpackage: Error
> while reading policy module from lvm.pp
>
> Stracing this semodule_unpackage gave me nothing, so I stucked here.
>
> Is there any repo that I could browse .te files from the official Fedora /
> targeted policy?
>
> Maciek
>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Usually sesearch is a better solution then just looking at the source. The
source is just going to show you the interfaces called, where is sesearch will
show you the results.
sesearch -A -s lvm_t
Will show you every allow rule that effects the lvm_t process domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMLYIQACgkQrlYvE4MpobOElwCeNAuxIo5qicinHdjTKAVo4yCl
KnEAn0PY6CzARxYqbWcWeAEUyFyGq7Oi
=qhAi
-----END PGP SIGNATURE-----
More information about the selinux
mailing list