Knowing policy contents

Daniel J Walsh dwalsh at redhat.com
Mon Feb 24 15:08:52 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/24/2014 04:49 AM, Maciej Lasyk wrote:
> On Mon, Feb 24, 2014 at 09:52:02AM +0100, Dominick Grift wrote:
>> On Mon, 2014-02-24 at 00:44 +0100, Maciej Lasyk wrote:
>>> Hi guys,
>>> 
>>> Let's say that I have file 
>>> /etc/selinux/targeted/modules/active/modules/lvm.pp
>>> 
>>> What would be the easiest way to view the policy that this file 
>>> contains? Normally when creating policy myself I firstly create .te
>>> file which contains my desired policy rules.
>>> 
>>> But how could I know how the policy looks like for already created and 
>>> loaded policies? Let's stick to that lvm.pp as the example.
>>> 
>>> Thanks for your help,
>> 
>> You can use the semodule_unpackage command to extract the policy package 
>> (.pp) See man semodule_unpackage
>> 
>> Then you can disassemble the extracted module (.mod) with the (se)dismod 
>> command ( i do not believe there is a manual for that program but its for
>> example sedismod lvm.mod (or something))
>> 
>> The (se)dismod program has a menu that allows you to query most of the 
>> modules content (what waas in the lvm.te) file
>> 
>> The program is a bit unfriendly an rough on the edges but it does help
> 
> I already tried with semodule_unpackage (found about it here: 
> http://serverfault.com/questions/321301/how-do-i-view-the-contents-of-a-selinux-policy-package
>
> 
) but unfortunately every time I try to unpack *any* module from
> targeted active modules I get:
> 
> root:modules/ # semodule_unpackage lvm.pp lvm.mod 
> libsepol.module_package_read_offsets: wrong magic number for module 
> package:  expected 0xf97cff8f, got 0x39685a42 semodule_unpackage:  Error
> while reading policy module from lvm.pp
> 
> Stracing this semodule_unpackage gave me nothing, so I stucked here.
> 
> Is there any repo that I could browse .te files from the official Fedora /
> targeted policy?
> 
> Maciek
> 
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
Usually sesearch is a better solution then just looking at the source.  The
source is just going to show you the interfaces called, where is sesearch will
show you the results.

sesearch -A -s lvm_t

Will show you every allow rule that effects the lvm_t process domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMLYIQACgkQrlYvE4MpobOElwCeNAuxIo5qicinHdjTKAVo4yCl
KnEAn0PY6CzARxYqbWcWeAEUyFyGq7Oi
=qhAi
-----END PGP SIGNATURE-----

More information about the selinux mailing list