Differences

This shows you the differences between two versions of the page.

--- selinux:selinux_policy_module [2016/07/14 15:09] – peter
+++ selinux:selinux_policy_module [2019/12/04 20:23] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== SELinux - SELinux Policy Module ======
-A SELinux policy module is built by following steps:
-  * Generate a set of policy rules: audit2allow
-  * Compile: checkmodule
-  * Build: semodule_package
-See http://wiki.centos.org/HowTos/SELinux
-Assuming that I have a postgreylocal.te file with the following content:
-<code>
-module postgreylocal 1.0;
-require {
-        type postfix_smtpd_t;
-        type postfix_spool_t;
-        type initrc_t;
-        class sock_file write;
-        class unix_stream_socket connectto;
-}
-#============= postfix_smtpd_t ==============
-allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;
-allow postfix_smtpd_t postfix_spool_t:sock_file write;
-</code>
-The postgreylocal.pp policy module will be created with:
-<code bash>
-# checkmodule -M -m -o postgreylocal.mod postgreylocal.te
-# semodule_package -m postgreylocal.mod -o postgreylocal.pp
-</code>
-To unpack (disassemble) this policy module, you need a tool which is called **semodule_unpackage** to extract the .mod file and then use **dismod** to disassemble the binary module to textual representation.
-On my Gentoo, the following packages need to be installed:
-[I] sys-apps/policycoreutils
-     Available versions:  [M]2.0.82 [M](~)2.0.82-r1 [M](~)2.0.85 [M](~)2.1.0 {M}(~)2.1.0-r1
-     Installed versions:  2.1.0-r1(05:12:27 PM 10/14/2011)
-     Homepage:            http://userspace.selinuxproject.org
-     Description:         SELinux core utilities
-[I] sys-apps/checkpolicy
-     Available versions:  [M]2.0.21 [M](~)2.0.23 {M}(~)2.1.0 {debug}
-     Installed versions:  2.1.0(01:27:53 PM 10/14/2011)(-debug)
-     Homepage:            http://userspace.selinuxproject.org
-     Description:         SELinux policy compiler
-[I] sys-libs/libsepol
-     Available versions:  [M]2.0.41!t [M](~)2.0.42!t {M}(~)2.1.0!t
-     Installed versions:  2.1.0!t(01:25:43 PM 10/14/2011)
-     Homepage:            http://userspace.selinuxproject.org
-     Description:         SELinux binary policy representation library
-Firstly, extract the module from .pp file:
-<code bash>
-semodule_unpackage postgreylocal.pp postgreylocal.mod
-</code>
-and secondly, disassemble with dismod:
-<code bash>
-# cd checkpolicy-2.1.0/test/
-# ls
-dismod.c  dispol.c  Makefile
-# make
-cc -g -Wall -O2 -pipe -I/usr/include   -c -o dispol.o dispol.c
-dispol.c: In function ‘main’:
-dispol.c:438:8: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
-dispol.c:465:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
-dispol.c:476:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
-dispol.c:500:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
-cc   dispol.o  -lfl -lsepol -lselinux /usr/lib/libsepol.a -L/usr/lib -o dispol
-cc -g -Wall -O2 -pipe -I/usr/include   -c -o dismod.o dismod.c
-dismod.c: In function ‘main’:
-dismod.c:913:8: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
-dismod.c:982:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
-dismod.c: In function ‘link_module’:
-dismod.c:787:7: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
-cc   dismod.o  -lfl -lsepol -lselinux /usr/lib/libsepol.a -L/usr/lib -o dismod
-# ls
-dismod  dismod.c  dismod.o  dispol  dispol.c  dispol.o  Makefile
-</code>
-<code bash>
-./dismod postgreylocal.pp
-Reading policy...
-libsepol.policydb_index_others: security:  0 users, 1 roles, 3 types, 0 bools
-libsepol.policydb_index_others: security: 0 sens, 0 cats
-libsepol.policydb_index_others: security:  2 classes, 0 rules, 0 cond rules
-libsepol.policydb_index_others: security:  0 users, 1 roles, 3 types, 0 bools
-libsepol.policydb_index_others: security: 0 sens, 0 cats
-libsepol.policydb_index_others: security:  2 classes, 0 rules, 0 cond rules
-Binary policy module file loaded.
-Module name: postgreylocal
-Module version: 1.0
-Select a command:
-)  display unconditional AVTAB
-)  display conditional AVTAB
-)  display users
-)  display bools
-)  display roles
-)  display types, attributes, and aliases
-)  display role transitions
-)  display role allows
-)  Display policycon
-)  Display initial SIDs
-a)  Display avrule requirements
-b)  Display avrule declarations
-c)  Display policy capabilities
-l)  Link in a module
-u)  Display the unknown handling setting
-F)  Display filename_trans rules
-f)  set output file
-m)  display menu
-q)  quit
-</code>
-<code>
-Command ('m' for menu):  1
-unconditional avtab:
---- begin avrule block ---
-decl 1:
-  allow [postfix_smtpd_t] [initrc_t] : [unix_stream_socket] { connectto };
-  allow [postfix_smtpd_t] [postfix_spool_t] : [sock_file] { write };
-Command ('m' for menu):  a
-avrule block requirements:
---- begin avrule block ---
-decl 1:
-commons: <empty>
-classes: sock_file{  write } unix_stream_socket{  connectto }
-roles  : <empty>
-types  : postfix_smtpd_t postfix_spool_t initrc_t
-users  : <empty>
-bools  : <empty>
-levels : <empty>
-cats   : <empty>
-Command ('m' for menu):
-</code>
-===== Comments =====
-On Fedora it is named,sedismod. It is already available along with checkpolicy and semodule_unpack with the default installation. Btw, via semodule_unpackage foo.pp foo.mod foo.fc you can also extract the filecontexts file.
-**.pp** files are stored internally in bzip2 format, so you'll need to do bzip2 -cdk policyfile.pp > policyfile.pp.out BEFORE semodule_unpackage policyfile.pp.out policyfile.mod.