LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-07-2011, 09:50 AM   #1
TJNII
LQ Newbie
 
Registered: Aug 2011
Distribution: Gentoo, Debian, RHEL
Posts: 12

Rep: Reputation: Disabled
SELinux: Show current module policy


I have a Cent6 box running SELinux that I need to modify SELinux policy on. The service that I need to make the change already has a policy file in /etc/selinux/targeted/modules/active/modules/[service].pp. I want to append to the existing rules, not overwrite them with a new module. How do I decompile the .pp file to view its contents? My intention would be to generate a .te file from the .pp file, merge it with my new .te file, and replace the existing policy.
 
Old 12-11-2011, 08:35 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by TJNII View Post
I have a Cent6 box running SELinux that I need to modify SELinux policy on. The service that I need to make the change already has a policy file in /etc/selinux/targeted/modules/active/modules/[service].pp. I want to append to the existing rules, not overwrite them with a new module. How do I decompile the .pp file to view its contents? My intention would be to generate a .te file from the .pp file, merge it with my new .te file, and replace the existing policy.
Simple answer (not that you'll like it) is you don't (OK, AFAIK). Since you just want to add to an existing policy just create the necessary [whatevername].te, .if and .fc files, add whatever rules you need then use the provided Makefile and 'semodule' tool to compile and add your additional rules to the module store.
 
Old 12-12-2011, 08:12 AM   #3
TJNII
LQ Newbie
 
Registered: Aug 2011
Distribution: Gentoo, Debian, RHEL
Posts: 12

Original Poster
Rep: Reputation: Disabled
From and administration standpoint I find this hard to believe. There must be some way to show what selinux rules the kernel is enforcing. There has to be a better way than just appending to a set of functionally write-only files whenever a change is needed.
 
Old 12-12-2011, 02:36 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by TJNII View Post
There must be some way to show what selinux rules the kernel is enforcing.
That is a completely different question.


Quote:
Originally Posted by TJNII View Post
There has to be a (..) way (..)
Look at the selinux-policy-%{version}.el5.src.rpm and http://oss.tresys.com/projects/refpolicy.
 
0 members found this post helpful.
Old 12-12-2011, 04:27 PM   #5
TJNII
LQ Newbie
 
Registered: Aug 2011
Distribution: Gentoo, Debian, RHEL
Posts: 12

Original Poster
Rep: Reputation: Disabled
Quote:
Look at the selinux-policy-%{version}.el5.src.rpm and http://oss.tresys.com/projects/refpolicy.
Well, that still doesn't answer my question as it assumes the bundled policy has not already been appended. If a previous admin has already appended to the policy, how do I figure out what has been done? I would like to find a solution that prints exactly what a running kernel is enforcing.
 
Old 12-12-2011, 06:24 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Use the tools from the setools package.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] reuse Selinux Policy rahulchandrak Linux - Security 11 09-02-2011 07:55 PM
Selinux-how do i find out what domains have permissions on what type?(selinux policy) vishyc88 Linux - Security 2 11-22-2010 04:27 AM
LXer: A step-by-step guide to building a new SELinux policy module LXer Syndicated Linux News 0 08-21-2007 05:42 PM
selinux policy or attribute ?? dansawyer Linux - Security 3 09-12-2006 02:08 AM
selinux:policy.conf silvercloud Linux - Enterprise 0 08-23-2005 04:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration