Fwd: How to extract file context patterns from selinux module

Fwd: How to extract file context patterns from selinux module

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- -------- Original Message --------
Subject: How to extract file context patterns from selinux module
Date: Fri, 29 Jul 2011 14:03:21 +0200
From: Karel Srot <ksrot@redhat.com>
To: selinux@lists.fedoraproject.org

Hi,
could you please help me with following problem?
I would like to extract context patterns from a selinux module.
I know there are placed at the end of the module but I don't know (and
didn't find) the module structure. Therefore I don't know how to parse
them (if there are any in the module).

Thank you in advance
Karel Srot

$ tail abrt.pp
var/cache/abrt-di(/.*)?		system_u:object_r:abrt_var_cache_t:s0
/var/log/abrt-logger		--	system_u:object_r:abrt_var_log_t:s0
/var/run/abrt\.pid			--	system_u:object_r:abrt_var_run_t:s0
/var/run/abrtd?\.lock		--	system_u:object_r:abrt_var_run_t:s0
/var/run/abrtd?\.socket		-s  system_u:object_r:abrt_var_run_t:s0
/var/run/abrt(/.*)?		system_u:object_r:abrt_var_run_t:s0
...


Karel

- -- 
Karel Srot
QE BaseOS team
http://intranet.corp.redhat.com/ic/intranet/KarelSrot

Email: ksrot@redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

- --
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4yokoACgkQrlYvE4MpobNp1wCgpyyfWSCd5z6hMaOutlLT9dT0
chIAn2Qmq3I6XeKfYuMPrx+8SoJbV0Dr
=CBv7
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fwd: How to extract file context patterns from selinux module

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1276 bytes --]

On Fri, 2011-07-29 at 08:06 -0400, Daniel J Walsh wrote:
> Hi,
> could you please help me with following problem?
> I would like to extract context patterns from a selinux module.
> I know there are placed at the end of the module but I don't know (and
> didn't find) the module structure. Therefore I don't know how to parse
> them (if there are any in the module).
> 
> Thank you in advance
> Karel Srot
> 
> $ tail abrt.pp
> var/cache/abrt-di(/.*)?		system_u:object_r:abrt_var_cache_t:s0
> /var/log/abrt-logger		--	system_u:object_r:abrt_var_log_t:s0
> /var/run/abrt\.pid			--	system_u:object_r:abrt_var_run_t:s0
> /var/run/abrtd?\.lock		--	system_u:object_r:abrt_var_run_t:s0
> /var/run/abrtd?\.socket		-s  system_u:object_r:abrt_var_run_t:s0
> /var/run/abrt(/.*)?		system_u:object_r:abrt_var_run_t:s0
> ...

I created this program a while ago to support unpacking the .mod file
from the .pp file, and just extended it to optionally unpack the .fc
file as well.  If people find it useful, we could perhaps add it to
policycoreutils.

$ gcc -lsepol -o semodule_unpackage semodule_unpackage.c
$ bunzip2 -c /usr/share/selinux/targeted/apache.pp.bz2 > apache.pp
$ semodule_unpackage apache.pp apache.mod apache.fc
$ cat apache.fc

-- 
Stephen Smalley
National Security Agency

[-- Attachment #2: semodule_unpackage.c --]
[-- Type: text/x-csrc, Size: 2359 bytes --]

#include <sepol/module.h>
#include <getopt.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <errno.h>

char *progname = NULL;
extern char *optarg;

static void usage(char *progname)
{
	printf("usage: %s ppfile modfile [fcfile]\n", progname);
	exit(1);
}

static int file_to_policy_file(char *filename, struct sepol_policy_file **pf, char *mode)
{
	FILE *f;
	
	if (sepol_policy_file_create(pf)) {
		fprintf(stderr, "%s:  Out of memory\n", progname);
		return -1;	
	}
	
	f = fopen(filename, mode);
	if (!f) {
		fprintf(stderr, "%s:  Could not open file %s:  %s\n", progname, strerror(errno), filename);
		return -1;	
	}
	sepol_policy_file_set_fp(*pf, f);
	return 0;
}

int main(int argc, char **argv)
{
	struct sepol_module_package *pkg;
	struct sepol_policy_file *in, *out;
	FILE *fp;
	size_t len;
	char *ppfile, *modfile, *fcfile = NULL, *fcdata;

	progname = argv[0];

	if (argc < 3) {
		usage(progname);
		exit(1);
	}

	ppfile = argv[1];
	modfile = argv[2];
	if (argc >= 3)
		fcfile = argv[3];

	if (file_to_policy_file(ppfile, &in, "r"))
		exit(1);
	
	if (sepol_module_package_create(&pkg)) {
                fprintf(stderr, "%s:  Out of memory\n", progname);
                exit(1);		
	}

	if (sepol_module_package_read(pkg, in, 0) == -1) {
                fprintf(stderr, "%s:  Error while reading policy module from %s\n",
			progname, ppfile);
                exit(1);		
	}

	if (file_to_policy_file(modfile, &out, "w"))
		exit(1);
		
        if (sepol_policydb_write(sepol_module_package_get_policy(pkg), out)) {
                fprintf(stderr, "%s:  Error while writing module to %s\n", progname, modfile);
                exit(1);
        }

	sepol_policy_file_free(in);
	sepol_policy_file_free(out);

	len = sepol_module_package_get_file_contexts_len(pkg);
	if (fcfile && len) {
		fp = fopen(fcfile, "w");
		if (!fp) {
			fprintf(stderr, "%s:  Could not open file %s:  %s\n", progname, strerror(errno), fcfile);
			exit(1);
		}
		fcdata = sepol_module_package_get_file_contexts(pkg);
		if (fwrite(fcdata, 1, len, fp) != len) {
			fprintf(stderr, "%s:  Could not write file %s:  %s\n", progname, strerror(errno), fcfile);
			exit(1);
		}
		fclose(fp);
	}

	sepol_module_package_free(pkg);
	exit(0);
}

Re: Fwd: How to extract file context patterns from selinux module

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/29/2011 09:29 AM, Stephen Smalley wrote:
> On Fri, 2011-07-29 at 08:06 -0400, Daniel J Walsh wrote:
>> Hi, could you please help me with following problem? I would like
>> to extract context patterns from a selinux module. I know there are
>> placed at the end of the module but I don't know (and didn't find)
>> the module structure. Therefore I don't know how to parse them (if
>> there are any in the module).
>> 
>> Thank you in advance Karel Srot
>> 
>> $ tail abrt.pp var/cache/abrt-di(/.*)?
>> system_u:object_r:abrt_var_cache_t:s0 /var/log/abrt-logger		--
>> system_u:object_r:abrt_var_log_t:s0 /var/run/abrt\.pid			--
>> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.lock		--
>> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.socket		-s
>> system_u:object_r:abrt_var_run_t:s0 /var/run/abrt(/.*)?
>> system_u:object_r:abrt_var_run_t:s0 ...
> 
> I created this program a while ago to support unpacking the .mod
> file from the .pp file, and just extended it to optionally unpack the
> .fc file as well.  If people find it useful, we could perhaps add it
> to policycoreutils.
> 
> $ gcc -lsepol -o semodule_unpackage semodule_unpackage.c $ bunzip2 -c
> /usr/share/selinux/targeted/apache.pp.bz2 > apache.pp $
> semodule_unpackage apache.pp apache.mod apache.fc $ cat apache.fc
> 
Seems like something we should add to libselinux utils.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4yy9sACgkQrlYvE4MpobOcHQCePORi9wniOXo41D5e/PMpUHdm
o0AAoMAX7pNI7CiAY3X4cWVI2TZ2VtXm
=lhZe
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fwd: How to extract file context patterns from selinux module

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/29/2011 09:29 AM, Stephen Smalley wrote:
> On Fri, 2011-07-29 at 08:06 -0400, Daniel J Walsh wrote:
>> Hi, could you please help me with following problem? I would like
>> to extract context patterns from a selinux module. I know there are
>> placed at the end of the module but I don't know (and didn't find)
>> the module structure. Therefore I don't know how to parse them (if
>> there are any in the module).
>> 
>> Thank you in advance Karel Srot
>> 
>> $ tail abrt.pp var/cache/abrt-di(/.*)?
>> system_u:object_r:abrt_var_cache_t:s0 /var/log/abrt-logger		--
>> system_u:object_r:abrt_var_log_t:s0 /var/run/abrt\.pid			--
>> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.lock		--
>> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.socket		-s
>> system_u:object_r:abrt_var_run_t:s0 /var/run/abrt(/.*)?
>> system_u:object_r:abrt_var_run_t:s0 ...
> 
> I created this program a while ago to support unpacking the .mod
> file from the .pp file, and just extended it to optionally unpack the
> .fc file as well.  If people find it useful, we could perhaps add it
> to policycoreutils.
> 
> $ gcc -lsepol -o semodule_unpackage semodule_unpackage.c $ bunzip2 -c
> /usr/share/selinux/targeted/apache.pp.bz2 > apache.pp $
> semodule_unpackage apache.pp apache.mod apache.fc $ cat apache.fc
> 


The real goal should be to get back to te file?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4yzX8ACgkQrlYvE4MpobNxrQCgvYNFSjBXq/RL2ZS+je1O6QR6
WDgAni1bKNAOm/2YeThXOWyPw+UXYuAK
=MwWQ
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fwd: How to extract file context patterns from selinux module

[Stephen Smalley]

On Fri, 2011-07-29 at 11:10 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 07/29/2011 09:29 AM, Stephen Smalley wrote:
> > On Fri, 2011-07-29 at 08:06 -0400, Daniel J Walsh wrote:
> >> Hi, could you please help me with following problem? I would like
> >> to extract context patterns from a selinux module. I know there are
> >> placed at the end of the module but I don't know (and didn't find)
> >> the module structure. Therefore I don't know how to parse them (if
> >> there are any in the module).
> >> 
> >> Thank you in advance Karel Srot
> >> 
> >> $ tail abrt.pp var/cache/abrt-di(/.*)?
> >> system_u:object_r:abrt_var_cache_t:s0 /var/log/abrt-logger		--
> >> system_u:object_r:abrt_var_log_t:s0 /var/run/abrt\.pid			--
> >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.lock		--
> >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.socket		-s
> >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrt(/.*)?
> >> system_u:object_r:abrt_var_run_t:s0 ...
> > 
> > I created this program a while ago to support unpacking the .mod
> > file from the .pp file, and just extended it to optionally unpack the
> > .fc file as well.  If people find it useful, we could perhaps add it
> > to policycoreutils.
> > 
> > $ gcc -lsepol -o semodule_unpackage semodule_unpackage.c $ bunzip2 -c
> > /usr/share/selinux/targeted/apache.pp.bz2 > apache.pp $
> > semodule_unpackage apache.pp apache.mod apache.fc $ cat apache.fc
> > 
> 
> 
> The real goal should be to get back to te file?

Can't do that exactly, but checkpolicy/test/dismod.c is an approximation
given the .mod file.  So you could write something similar to dismod.c
that just dumps all of the information rather than being interactive.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.