On Mon, Feb 24, 2014 at 10:08:52AM -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/24/2014 04:49 AM, Maciej Lasyk wrote: > > On Mon, Feb 24, 2014 at 09:52:02AM +0100, Dominick Grift wrote: > >> On Mon, 2014-02-24 at 00:44 +0100, Maciej Lasyk wrote: > >>> Hi guys, > >>> > >>> Let's say that I have file > >>> /etc/selinux/targeted/modules/active/modules/lvm.pp > >>> > >>> What would be the easiest way to view the policy that this file > >>> contains? Normally when creating policy myself I firstly create .te > >>> file which contains my desired policy rules. > >>> > >>> But how could I know how the policy looks like for already created and > >>> loaded policies? Let's stick to that lvm.pp as the example. > >>> > >>> Thanks for your help, > >> > >> You can use the semodule_unpackage command to extract the policy package > >> (.pp) See man semodule_unpackage > >> > >> Then you can disassemble the extracted module (.mod) with the (se)dismod > >> command ( i do not believe there is a manual for that program but its for > >> example sedismod lvm.mod (or something)) > >> > >> The (se)dismod program has a menu that allows you to query most of the > >> modules content (what waas in the lvm.te) file > >> > >> The program is a bit unfriendly an rough on the edges but it does help > > > > I already tried with semodule_unpackage (found about it here: > > http://serverfault.com/questions/321301/how-do-i-view-the-contents-of-a-selinux-policy-package > > > > > ) but unfortunately every time I try to unpack *any* module from > > targeted active modules I get: > > > > root:modules/ # semodule_unpackage lvm.pp lvm.mod > > libsepol.module_package_read_offsets: wrong magic number for module > > package: expected 0xf97cff8f, got 0x39685a42 semodule_unpackage: Error > > while reading policy module from lvm.pp > > > > Stracing this semodule_unpackage gave me nothing, so I stucked here. > > > > Is there any repo that I could browse .te files from the official Fedora / > > targeted policy? > > > > Maciek > > > > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > Usually sesearch is a better solution then just looking at the source. The > source is just going to show you the interfaces called, where is sesearch will > show you the results. > > sesearch -A -s lvm_t > > Will show you every allow rule that effects the lvm_t process domain. Great - thanks - that really did the job :)
Attachment:
pgp1LLDcQpUOp.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
