如何查看 SELinux 策略包的内容

Question

如何查看 SELinux 策略包的内容

正如标题所说，如何查看 SELinux 策略包的内容？生成的文件以 .pp 结尾。我在 centos 6 上运行，但我想在“所有”发行版上也是如此。

例如

    cp /usr/share/selinux/targeted/cobbler.pp.bz2 ~
    bunzip2 cobbler.pp.bz2 
    MAGIC_SELINUX_CMD cobbler.pp

Run Code Online (Sandbox Code Playgroud)

Answer 1

qua*_*nta 19

SELinux 策略模块的构建步骤如下：

生成一组策略规则： audit2allow
编译： checkmodule
建造： semodule_package

http://wiki.centos.org/HowTos/SELinux

假设我有一个postgreylocal.te包含以下内容的文件：

module postgreylocal 1.0;
require {
        type postfix_smtpd_t;
        type postfix_spool_t;
        type initrc_t;
        class sock_file write;
        class unix_stream_socket connectto;
}
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;
allow postfix_smtpd_t postfix_spool_t:sock_file write;

Run Code Online (Sandbox Code Playgroud)

postgreylocal.pp 策略模块将使用以下内容创建：

# checkmodule -M -m -o postgreylocal.mod postgreylocal.te
# semodule_package -m postgreylocal.mod -o postgreylocal.pp

Run Code Online (Sandbox Code Playgroud)

要解压此策略模块，您需要一个名为semodule_unpackage的工具来提取.mod文件，然后用于dismod将二进制模块反汇编为文本表示。

在我的 Gentoo 上，需要安装以下软件包：

[I] sys-apps/policycoreutils
     Available versions:  [M]2.0.82 [M](~)2.0.82-r1 [M](~)2.0.85 [M](~)2.1.0 {M}(~)2.1.0-r1
     Installed versions:  2.1.0-r1(05:12:27 PM 10/14/2011)
     Homepage:            http://userspace.selinuxproject.org
     Description:         SELinux core utilities

[I] sys-apps/checkpolicy
     Available versions:  [M]2.0.21 [M](~)2.0.23 {M}(~)2.1.0 {debug}
     Installed versions:  2.1.0(01:27:53 PM 10/14/2011)(-debug)
     Homepage:            http://userspace.selinuxproject.org
     Description:         SELinux policy compiler

[I] sys-libs/libsepol
     Available versions:  [M]2.0.41!t [M](~)2.0.42!t {M}(~)2.1.0!t
     Installed versions:  2.1.0!t(01:25:43 PM 10/14/2011)
     Homepage:            http://userspace.selinuxproject.org
     Description:         SELinux binary policy representation library

Run Code Online (Sandbox Code Playgroud)

首先，从.pp文件中提取模块：

# semodule_unpackage postgreylocal.pp postgreylocal.mod

Run Code Online (Sandbox Code Playgroud)

其次，拆解dismod：

# cd checkpolicy-2.1.0/test/
# ls
dismod.c  dispol.c  Makefile
# make
cc -g -Wall -O2 -pipe -I/usr/include   -c -o dispol.o dispol.c
dispol.c: In function ‘main’:
dispol.c:438:8: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dispol.c:465:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dispol.c:476:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dispol.c:500:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
cc   dispol.o  -lfl -lsepol -lselinux /usr/lib/libsepol.a -L/usr/lib -o dispol
cc -g -Wall -O2 -pipe -I/usr/include   -c -o dismod.o dismod.c
dismod.c: In function ‘main’:
dismod.c:913:8: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dismod.c:982:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dismod.c: In function ‘link_module’:
dismod.c:787:7: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
cc   dismod.o  -lfl -lsepol -lselinux /usr/lib/libsepol.a -L/usr/lib -o dismod
# ls
dismod  dismod.c  dismod.o  dispol  dispol.c  dispol.o  Makefile

Run Code Online (Sandbox Code Playgroud)

./dismod postgreylocal.pp
Reading policy...
libsepol.policydb_index_others: security:  0 users, 1 roles, 3 types, 0 bools
libsepol.policydb_index_others: security: 0 sens, 0 cats
libsepol.policydb_index_others: security:  2 classes, 0 rules, 0 cond rules
libsepol.policydb_index_others: security:  0 users, 1 roles, 3 types, 0 bools
libsepol.policydb_index_others: security: 0 sens, 0 cats
libsepol.policydb_index_others: security:  2 classes, 0 rules, 0 cond rules
Binary policy module file loaded.
Module name: postgreylocal
Module version: 1.0


Select a command:
1)  display unconditional AVTAB
2)  display conditional AVTAB
3)  display users
4)  display bools
5)  display roles
6)  display types, attributes, and aliases
7)  display role transitions
8)  display role allows
9)  Display policycon
0)  Display initial SIDs

a)  Display avrule requirements
b)  Display avrule declarations
c)  Display policy capabilities
l)  Link in a module
u)  Display the unknown handling setting
F)  Display filename_trans rules

f)  set output file
m)  display menu
q)  quit

Run Code Online (Sandbox Code Playgroud)

Command ('m' for menu):  1
unconditional avtab:
--- begin avrule block ---
decl 1:
  allow [postfix_smtpd_t] [initrc_t] : [unix_stream_socket] { connectto };
  allow [postfix_smtpd_t] [postfix_spool_t] : [sock_file] { write };

Command ('m' for menu):  a
avrule block requirements:
--- begin avrule block ---
decl 1:
commons: <empty>
classes: sock_file{  write } unix_stream_socket{  connectto }
roles  : <empty>
types  : postfix_smtpd_t postfix_spool_t initrc_t
users  : <empty>
bools  : <empty>
levels : <empty>
cats   : <empty>

Command ('m' for menu):

Run Code Online (Sandbox Code Playgroud)

仅供参考，在 Fedora (17) 上是 `sedismod`。它已经与默认安装的 `checkpolicy` 和 `semodule_unpack` 一起可用。顺便说一句，通过`semodule_unpackage foo.pp foo.mod foo.fc` 你还可以提取filecontexts 文件。 (5认同)

归档时间：	14 年前
查看次数：	33147 次
最近记录：	9 年，7 月前