====== Ubuntu - SELinux - SELinux Policy Module ======
A SELinux policy module is built by following steps:
* Generate a set of policy rules: audit2allow
* Compile: checkmodule
* Build: semodule_package
See http://wiki.centos.org/HowTos/SELinux
----
Assuming that I have a postgreylocal.te file with the following content:
module postgreylocal 1.0;
require {
type postfix_smtpd_t;
type postfix_spool_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;
allow postfix_smtpd_t postfix_spool_t:sock_file write;
The postgreylocal.pp policy module will be created with:
# checkmodule -M -m -o postgreylocal.mod postgreylocal.te
# semodule_package -m postgreylocal.mod -o postgreylocal.pp
To unpack (disassemble) this policy module, you need a tool which is called **semodule_unpackage** to extract the .mod file and then use **dismod** to disassemble the binary module to textual representation.
On my Gentoo, the following packages need to be installed:
[I] sys-apps/policycoreutils
Available versions: [M]2.0.82 [M](~)2.0.82-r1 [M](~)2.0.85 [M](~)2.1.0 {M}(~)2.1.0-r1
Installed versions: 2.1.0-r1(05:12:27 PM 10/14/2011)
Homepage: http://userspace.selinuxproject.org
Description: SELinux core utilities
[I] sys-apps/checkpolicy
Available versions: [M]2.0.21 [M](~)2.0.23 {M}(~)2.1.0 {debug}
Installed versions: 2.1.0(01:27:53 PM 10/14/2011)(-debug)
Homepage: http://userspace.selinuxproject.org
Description: SELinux policy compiler
[I] sys-libs/libsepol
Available versions: [M]2.0.41!t [M](~)2.0.42!t {M}(~)2.1.0!t
Installed versions: 2.1.0!t(01:25:43 PM 10/14/2011)
Homepage: http://userspace.selinuxproject.org
Description: SELinux binary policy representation library
Firstly, extract the module from .pp file:
semodule_unpackage postgreylocal.pp postgreylocal.mod
and secondly, disassemble with dismod:
# cd checkpolicy-2.1.0/test/
# ls
dismod.c dispol.c Makefile
# make
cc -g -Wall -O2 -pipe -I/usr/include -c -o dispol.o dispol.c
dispol.c: In function ‘main’:
dispol.c:438:8: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dispol.c:465:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dispol.c:476:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dispol.c:500:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
cc dispol.o -lfl -lsepol -lselinux /usr/lib/libsepol.a -L/usr/lib -o dispol
cc -g -Wall -O2 -pipe -I/usr/include -c -o dismod.o dismod.c
dismod.c: In function ‘main’:
dismod.c:913:8: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dismod.c:982:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dismod.c: In function ‘link_module’:
dismod.c:787:7: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
cc dismod.o -lfl -lsepol -lselinux /usr/lib/libsepol.a -L/usr/lib -o dismod
# ls
dismod dismod.c dismod.o dispol dispol.c dispol.o Makefile
./dismod postgreylocal.pp
Reading policy...
libsepol.policydb_index_others: security: 0 users, 1 roles, 3 types, 0 bools
libsepol.policydb_index_others: security: 0 sens, 0 cats
libsepol.policydb_index_others: security: 2 classes, 0 rules, 0 cond rules
libsepol.policydb_index_others: security: 0 users, 1 roles, 3 types, 0 bools
libsepol.policydb_index_others: security: 0 sens, 0 cats
libsepol.policydb_index_others: security: 2 classes, 0 rules, 0 cond rules
Binary policy module file loaded.
Module name: postgreylocal
Module version: 1.0
Select a command:
1) display unconditional AVTAB
2) display conditional AVTAB
3) display users
4) display bools
5) display roles
6) display types, attributes, and aliases
7) display role transitions
8) display role allows
9) Display policycon
0) Display initial SIDs
a) Display avrule requirements
b) Display avrule declarations
c) Display policy capabilities
l) Link in a module
u) Display the unknown handling setting
F) Display filename_trans rules
f) set output file
m) display menu
q) quit
Command ('m' for menu): 1
unconditional avtab:
--- begin avrule block ---
decl 1:
allow [postfix_smtpd_t] [initrc_t] : [unix_stream_socket] { connectto };
allow [postfix_smtpd_t] [postfix_spool_t] : [sock_file] { write };
Command ('m' for menu): a
avrule block requirements:
--- begin avrule block ---
decl 1:
commons:
classes: sock_file{ write } unix_stream_socket{ connectto }
roles :
types : postfix_smtpd_t postfix_spool_t initrc_t
users :
bools :
levels :
cats :
Command ('m' for menu):
----
===== Comments =====
On Fedora it is named,sedismod. It is already available along with checkpolicy and semodule_unpack with the default installation.
Btw, via semodule_unpackage foo.pp foo.mod foo.fc you can also extract the filecontexts file.
**.pp** files are stored internally in bzip2 format, so you'll need to do bzip2 -cdk policyfile.pp > policyfile.pp.out BEFORE semodule_unpackage policyfile.pp.out policyfile.mod.