using semodule_package

using semodule_package

[Clarkson, Mike R (US SSA)]

The manpage for semodule_package gives examples for how to use it:
	semodule_package -o httpd.pp -m httpd.mod -f httpd.fc

Am I supposed to get the *.mod files for modules when I compile the
policy? I have a base.mod file, but no *.mod files for the loadable
modules. The closest that I have is <module_name>.mod.role files under
the .../policy/tmp directory.

I'd like to be able to use semodule_package to update file contexts
without having to recompile.

Thanks



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: using semodule_package

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1340 bytes --]

On Tue, 2007-07-10 at 19:10 -0700, Clarkson, Mike R (US SSA) wrote:
> The manpage for semodule_package gives examples for how to use it:
> 	semodule_package -o httpd.pp -m httpd.mod -f httpd.fc
> 
> Am I supposed to get the *.mod files for modules when I compile the
> policy? I have a base.mod file, but no *.mod files for the loadable
> modules. The closest that I have is <module_name>.mod.role files under
> the .../policy/tmp directory.
> 
> I'd like to be able to use semodule_package to update file contexts
> without having to recompile.

It appears that the .mod files are removed at the end of the build
process after they have been packaged into .pp files.  Not sure why.
Options, aside from tracking down the relevant makefile rule and
removing it, might include:
- regenerating the .mod via checkmodule on tmp/<name>.tmp, e.g.
	checkmodule -M -m tmp/zebra.tmp -o tmp/zebra.mod
or
- extracting the already built .mod file from the .pp file

I took the semodule_package.c code once and created a
semodule_unpackage.c file from it to unpack the .mod file, but never got
around to generalizing it (e.g. unpacking all of the files) or
committing it.  Attached below for your amusement.
$ gcc -lsepol -o semodule_unpackage semodule_unpackage.c
$ ./semodule_unpackage zebra.pp zebra.mod
 
-- 
Stephen Smalley
National Security Agency

[-- Attachment #2: semodule_unpackage.c --]
[-- Type: text/x-csrc, Size: 2039 bytes --]

/* Authors: Karl MacMillan <kmacmillan@tresys.com>
 *
 * Copyright (C) 2004 Tresys Technology, LLC
 *	This program is free software; you can redistribute it and/or modify
 *  	it under the terms of the GNU General Public License as published by
 *	the Free Software Foundation, version 2.
 */
 
#include <sepol/module.h>
#include <getopt.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <errno.h>

char *progname = NULL;
extern char *optarg;

static void usage(char *progname)
{
	printf("usage: %s ppfile modfile\n", progname);
	exit(1);
}

static int file_to_policy_file(char *filename, struct sepol_policy_file **pf, char *mode)
{
	FILE *f;
	
	if (sepol_policy_file_create(pf)) {
		fprintf(stderr, "%s:  Out of memory\n", progname);
		return -1;	
	}
	
	f = fopen(filename, mode);
	if (!f) {
		fprintf(stderr, "%s:  Could not open file %s:  %s\n", progname, strerror(errno), filename);
		return -1;	
	}
	sepol_policy_file_set_fp(*pf, f);
	return 0;
}

int main(int argc, char **argv)
{
	struct sepol_module_package *pkg;
	struct sepol_policy_file *in, *out;

	progname = argv[0];

	if (argc != 3) {
		usage(argv[0]);
		exit(1);
	}

	if (file_to_policy_file(argv[1], &in, "r"))
		exit(1);
	
	if (sepol_module_package_create(&pkg)) {
                fprintf(stderr, "%s:  Out of memory\n", argv[0]);
                exit(1);		
	}

	if (sepol_module_package_read(pkg, in, 0) == -1) {
                fprintf(stderr, "%s:  Error while reading policy module from %s\n",
			argv[0], argv[1]);
                exit(1);		
	}

	if (file_to_policy_file(argv[2], &out, "w"))
		exit(1);
		
        if (sepol_policydb_write(sepol_module_package_get_policy(pkg), out)) {
                fprintf(stderr, "%s:  Error while writing module to %s\n", argv[0], argv[2]);
                exit(1);
        }

	sepol_policy_file_free(in);
	sepol_policy_file_free(out);
	sepol_module_package_free(pkg);
	exit(0);
}

Re: using semodule_package

[Joshua Brindle]

Stephen Smalley wrote:
> On Tue, 2007-07-10 at 19:10 -0700, Clarkson, Mike R (US SSA) wrote:
>   
>> The manpage for semodule_package gives examples for how to use it:
>> 	semodule_package -o httpd.pp -m httpd.mod -f httpd.fc
>>
>> Am I supposed to get the *.mod files for modules when I compile the
>> policy? I have a base.mod file, but no *.mod files for the loadable
>> modules. The closest that I have is <module_name>.mod.role files under
>> the .../policy/tmp directory.
>>
>> I'd like to be able to use semodule_package to update file contexts
>> without having to recompile.
>>     
>
> It appears that the .mod files are removed at the end of the build
> process after they have been packaged into .pp files.  Not sure why.
>   

Its a feature of make, all intermediate files without a specific target 
are deleted after the build process. This use to be preventable by 
adding .secondary to the Makefile but there has been a long standing bug 
that keeps that from working.

> Options, aside from tracking down the relevant makefile rule and
> removing it, might include:
> - regenerating the .mod via checkmodule on tmp/<name>.tmp, e.g.
> 	checkmodule -M -m tmp/zebra.tmp -o tmp/zebra.mod
> or
> - extracting the already built .mod file from the .pp file
>
> I took the semodule_package.c code once and created a
> semodule_unpackage.c file from it to unpack the .mod file, but never got
> around to generalizing it (e.g. unpacking all of the files) or
> committing it.  Attached below for your amusement.
> $ gcc -lsepol -o semodule_unpackage semodule_unpackage.c
> $ ./semodule_unpackage zebra.pp zebra.mod
>  
>   



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: using semodule_package

[Clarkson, Mike R (US SSA)]

The manpage for checkmodule shows the following example using a .te
file:
	checkmodule -M -m httpd.te -o httpd.mod

Is this correct?

It fails for me with the following error:

# checkmodule -M -m zebra.te -o zebra.mod
checkmodule:  loading policy configuration from zebra.te
(unknown source)::ERROR 'syntax error' at token 'policy_module' on line
2:
policy_module(zebra,1.3.0)

checkmodule:  error(s) encountered while parsing configuration


The example below (from Stephen Smalley's below email) uses the .tmp
file and works:
	checkmodule -M -m tmp/zebra.tmp -o tmp/zebra.mod


Although this successfully creates the zebra.mod file, when I try to use
the zebra.mod file with semodule_package to create a zebra.pp file, the
zebra.pp file appears to be invalid. When I try to load the zebra.pp
file, I get the following error:

# semodule -i
/etc/selinux/refpolicy-targeted-mls/src/policy/tmp/zebra.pp
libsepol.context_from_record: user gen_context(system_u is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
gen_context(system_u:object_r:zebra_conf_t,s0) to sid
/etc/selinux/refpolicy-targeted-mls/contexts/files/file_contexts:  line
398 has invalid context gen_context(system_u:object_r:zebra_conf_t,s0)
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!

I created the zebra.pp file with the following command:
semodule_package -o zebra.pp -m zebra.mod -f
../policy/modules/services/zebra.fc

The other thing that I notice is that although I made no changes to the
zebra.fc file (I'm just trying to successfully create a .pp file first),
the zebra.pp file that the semodule_package cmd creates is not the same
size as the original zebra.pp file. This happens even when I don't
include the -f option with the semodule_package command.



> -----Original Message-----
> From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
> Sent: Wednesday, July 11, 2007 5:17 AM
> To: Clarkson, Mike R (US SSA)
> Cc: selinux@tycho.nsa.gov; Christopher J. PeBenito; Joshua Brindle;
Karl
> MacMillan
> Subject: Re: using semodule_package
> 
> On Tue, 2007-07-10 at 19:10 -0700, Clarkson, Mike R (US SSA) wrote:
> > The manpage for semodule_package gives examples for how to use it:
> > 	semodule_package -o httpd.pp -m httpd.mod -f httpd.fc
> >
> > Am I supposed to get the *.mod files for modules when I compile the
> > policy? I have a base.mod file, but no *.mod files for the loadable
> > modules. The closest that I have is <module_name>.mod.role files
under
> > the .../policy/tmp directory.
> >
> > I'd like to be able to use semodule_package to update file contexts
> > without having to recompile.
> 
> It appears that the .mod files are removed at the end of the build
> process after they have been packaged into .pp files.  Not sure why.
> Options, aside from tracking down the relevant makefile rule and
> removing it, might include:
> - regenerating the .mod via checkmodule on tmp/<name>.tmp, e.g.
> 	checkmodule -M -m tmp/zebra.tmp -o tmp/zebra.mod
> or
> - extracting the already built .mod file from the .pp file
> 
> I took the semodule_package.c code once and created a
> semodule_unpackage.c file from it to unpack the .mod file, but never
got
> around to generalizing it (e.g. unpacking all of the files) or
> committing it.  Attached below for your amusement.
> $ gcc -lsepol -o semodule_unpackage semodule_unpackage.c
> $ ./semodule_unpackage zebra.pp zebra.mod
> 
> --
> Stephen Smalley
> National Security Agency



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: using semodule_package

[Stephen Smalley]

On Wed, 2007-07-25 at 10:40 -0700, Clarkson, Mike R (US SSA) wrote:
> The manpage for checkmodule shows the following example using a .te
> file:
> 	checkmodule -M -m httpd.te -o httpd.mod
> 
> Is this correct?
> 
> It fails for me with the following error:
> 
> # checkmodule -M -m zebra.te -o zebra.mod
> checkmodule:  loading policy configuration from zebra.te
> (unknown source)::ERROR 'syntax error' at token 'policy_module' on line
> 2:
> policy_module(zebra,1.3.0)
> 
> checkmodule:  error(s) encountered while parsing configuration
> 
> 
> The example below (from Stephen Smalley's below email) uses the .tmp
> file and works:
> 	checkmodule -M -m tmp/zebra.tmp -o tmp/zebra.mod
> 
> 
> Although this successfully creates the zebra.mod file, when I try to use
> the zebra.mod file with semodule_package to create a zebra.pp file, the
> zebra.pp file appears to be invalid. When I try to load the zebra.pp
> file, I get the following error:
> 
> # semodule -i
> /etc/selinux/refpolicy-targeted-mls/src/policy/tmp/zebra.pp
> libsepol.context_from_record: user gen_context(system_u is not defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert
> gen_context(system_u:object_r:zebra_conf_t,s0) to sid
> /etc/selinux/refpolicy-targeted-mls/contexts/files/file_contexts:  line
> 398 has invalid context gen_context(system_u:object_r:zebra_conf_t,s0)
> libsemanage.semanage_install_active: setfiles returned error code 1.
> semodule:  Failed!
> 
> I created the zebra.pp file with the following command:
> semodule_package -o zebra.pp -m zebra.mod -f
> ../policy/modules/services/zebra.fc
> 
> The other thing that I notice is that although I made no changes to the
> zebra.fc file (I'm just trying to successfully create a .pp file first),
> the zebra.pp file that the semodule_package cmd creates is not the same
> size as the original zebra.pp file. This happens even when I don't
> include the -f option with the semodule_package command.

The errors you are encountering are because you aren't running your
files through the m4 preprocessor (with appropriate includes) prior to
compiling and/or packaging the files.  At present, SELinux policy makes
heavy use of m4 preprocessing for macro expansion (e.g. policy_module
and gen_context are both macros).

If you had simply done a 'make zebra.pp', the Makefile would have taken
care of preprocessing the files, writing the preprocessed form to
the .tmp files, and then feeding those .tmp files to checkmodule and
semodule_package.  You of course could do the same, but why not just use
make?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.