Hi, depends on the scale. If you just need to identify policy module of one specific service, try searching for the service name in “# semodule -l” output (modules are usually named after corresponding service). If that doesn't help (sometimes 1 module contains policy rules for more services), I would go with Lukas's suggestion, which was to download selinux-policy repository from github (https://github.com/fedora-selinux/selinux-policy) and search for selinux type of the service you are interested in. Let's say you want policy module of bluetooth daemon. # ps -efZ | grep bluetoothd system_u:system_r:bluetooth_t:s0 root 764 1 0 09:09 ? 00:00:00 /usr/libexec/bluetooth/bluetoothd Bluetoothd process has label of “bluetooth_t”. Search for “bluetooth_t” in selinux-policy repository (branch rawhide-contrib) shows that the type was defined in “bluetooth.te”. $ grep -R bluetooth_t bluetooth.te:type bluetooth_t; If you want to map all running services to their respective policy modules, fastest way would be to search for the type of running process in the file I enclosed to this email (all selinux policy modules in Fedora 23 and types defined in them). Each line contains the following module_nameomain_types:resource_types I won't go into details since obtaining of this mapping is not so straight forward. Hope this helps. Vit Mojzis SELinux Solutions Red Hat, Inc. ----- Original Message ----- From: "Lukas Vrabec" <lvrabec@xxxxxxxxxx> To: selinux@xxxxxxxxxxxxxxxxxxxxxxx, "Vit Mojzis" <vmojzis@xxxxxxxxxx> Sent: Thursday, April 7, 2016 10:20:57 AM Subject: Re: SElinux Query On 04/06/2016 08:04 PM, Naina Emmanuel wrote: > Thanks for the response... > Please tell that how can we map the service running to its module? > My use case is, ps -efZ will tell which services are running(enforced > modules) how can we map that running service to its module( that is > applying a policy to that Service?) > Vit Mojzis can help you here. > Thansk in advance > > Engr. Naina Emmanuel > > On Apr 5, 2016 2:51 PM, "Miroslav Grepl" <mgrepl@xxxxxxxxxx > <mailto:mgrepl@xxxxxxxxxx>> wrote: > > On 04/03/2016 10:20 AM, Naina Emmanuel wrote: > > Good Afternoon > > Can u please help me and tell... > > 1) how we can check, which policy modules are actually enforced? > means > > which services are being secured by selinux. because #semodule -l > gives > > loaded modules, but which are being secured how can we check that???* > > * > > Good point. You can play around > > $ seinfo -xadomain > > > 2) If i dont understand any macro, from where i can get its > description > > or help?* > > You are looking for > > $ firefox /usr/share/doc/selinux-policy/html/index.html > > $ rpm -qf /usr/share/doc/selinux-policy/html/index.html > selinux-policy-doc-3.13.1-180.fc25.noarch > > > * > > * > > * > > * > > *thanks in advance > > * > > * > > * > > * > > * > > /Engr. Naina Emmanuel/* > > *Linux Essential Certified (LEPDC)** > > * > > *Cisco Certified Network Associate (CCNA)* > > *Computer Engineering Department, UET Taxila > > * > > *Information Security, CS Department, CIIT Islamabad > > * > > > > > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx> > > > http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx > > > > > -- > Miroslav Grepl > Senior Software Engineer, SELinux Solutions > Red Hat, Inc. > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Lukas Vrabec SELinux Solutions Red Hat, Inc.
Attachment:
domain_groups_cil.conf
Description: Binary data
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx