pp2te

pp2te

[Tim]

Is there any way to convert targeted policy .pp files to .te files?

Thanks
Tim

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pp2te

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 691 bytes --]

On Wed, 2011-12-07 at 14:13 -0500, Tim wrote:
> Is there any way to convert targeted policy .pp files to .te files?

Closest approximation would be to use semodule_unpackage to extract the
binary .mod file from the .pp file, and then to use dismod to
disassemble the binary .mod file.  semodule_unpackage.c attached if you
don't have it and dismod is in the checkpolicy source tree (but not
built as part of the Fedora package).

$ gcc -lsepol -o semodule_unpackage semodule_unpackage.c
$ bunzip2 -c /usr/share/selinux/targeted/apache.pp.bz2 > apache.pp
$ ./semodule_unpackage apache.pp apache.mod apache.fc
$ checkpolicy/test/dismod apache.mod

-- 
Stephen Smalley
National Security Agency

[-- Attachment #2: semodule_unpackage.c --]
[-- Type: text/x-csrc, Size: 2359 bytes --]

#include <sepol/module.h>
#include <getopt.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <errno.h>

char *progname = NULL;
extern char *optarg;

static void usage(char *progname)
{
	printf("usage: %s ppfile modfile [fcfile]\n", progname);
	exit(1);
}

static int file_to_policy_file(char *filename, struct sepol_policy_file **pf, char *mode)
{
	FILE *f;
	
	if (sepol_policy_file_create(pf)) {
		fprintf(stderr, "%s:  Out of memory\n", progname);
		return -1;	
	}
	
	f = fopen(filename, mode);
	if (!f) {
		fprintf(stderr, "%s:  Could not open file %s:  %s\n", progname, strerror(errno), filename);
		return -1;	
	}
	sepol_policy_file_set_fp(*pf, f);
	return 0;
}

int main(int argc, char **argv)
{
	struct sepol_module_package *pkg;
	struct sepol_policy_file *in, *out;
	FILE *fp;
	size_t len;
	char *ppfile, *modfile, *fcfile = NULL, *fcdata;

	progname = argv[0];

	if (argc < 3) {
		usage(progname);
		exit(1);
	}

	ppfile = argv[1];
	modfile = argv[2];
	if (argc >= 3)
		fcfile = argv[3];

	if (file_to_policy_file(ppfile, &in, "r"))
		exit(1);
	
	if (sepol_module_package_create(&pkg)) {
                fprintf(stderr, "%s:  Out of memory\n", progname);
                exit(1);		
	}

	if (sepol_module_package_read(pkg, in, 0) == -1) {
                fprintf(stderr, "%s:  Error while reading policy module from %s\n",
			progname, ppfile);
                exit(1);		
	}

	if (file_to_policy_file(modfile, &out, "w"))
		exit(1);
		
        if (sepol_policydb_write(sepol_module_package_get_policy(pkg), out)) {
                fprintf(stderr, "%s:  Error while writing module to %s\n", progname, modfile);
                exit(1);
        }

	sepol_policy_file_free(in);
	sepol_policy_file_free(out);

	len = sepol_module_package_get_file_contexts_len(pkg);
	if (fcfile && len) {
		fp = fopen(fcfile, "w");
		if (!fp) {
			fprintf(stderr, "%s:  Could not open file %s:  %s\n", progname, strerror(errno), fcfile);
			exit(1);
		}
		fcdata = sepol_module_package_get_file_contexts(pkg);
		if (fwrite(fcdata, 1, len, fp) != len) {
			fprintf(stderr, "%s:  Could not write file %s:  %s\n", progname, strerror(errno), fcfile);
			exit(1);
		}
		fclose(fp);
	}

	sepol_module_package_free(pkg);
	exit(0);
}

Re: pp2te

[Stephen Smalley]

On Thu, 2011-12-08 at 08:48 -0500, Stephen Smalley wrote:
> On Wed, 2011-12-07 at 14:13 -0500, Tim wrote:
> > Is there any way to convert targeted policy .pp files to .te files?
> 
> Closest approximation would be to use semodule_unpackage to extract the
> binary .mod file from the .pp file, and then to use dismod to
> disassemble the binary .mod file.  semodule_unpackage.c attached if you
> don't have it and dismod is in the checkpolicy source tree (but not
> built as part of the Fedora package).
> 
> $ gcc -lsepol -o semodule_unpackage semodule_unpackage.c
> $ bunzip2 -c /usr/share/selinux/targeted/apache.pp.bz2 > apache.pp
> $ ./semodule_unpackage apache.pp apache.mod apache.fc
> $ checkpolicy/test/dismod apache.mod

Ah, looks like the Fedora checkpolicy package renames dismod to sedismod
to avoid naming conflicts.  So you can just run sedismod on Fedora.  And
semodule_unpackage has been added to recent versions of policycoreutils,
so you might have it depending on what version you are using.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pp2te

[Eric Paris]

On Thu, Dec 8, 2011 at 8:48 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2011-12-07 at 14:13 -0500, Tim wrote:
>> Is there any way to convert targeted policy .pp files to .te files?
>
> Closest approximation would be to use semodule_unpackage to extract the
> binary .mod file from the .pp file, and then to use dismod to
> disassemble the binary .mod file.  semodule_unpackage.c attached if you
> don't have it and dismod is in the checkpolicy source tree (but not
> built as part of the Fedora package).

semodule_unpackage is provided in fedora in policycoreutils
dismod is provided in fedora in checkpolicy, although we rename it to sedismod

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.