* Fwd: How to extract file context patterns from selinux module [not found] <1311941001.7994.4.camel@dhcp-30-102.brq.redhat.com> @ 2011-07-29 12:06 ` Daniel J Walsh 2011-07-29 13:29 ` Stephen Smalley 0 siblings, 1 reply; 5+ messages in thread From: Daniel J Walsh @ 2011-07-29 12:06 UTC (permalink / raw) To: SELinux; +Cc: Karel Srot -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------- Original Message -------- Subject: How to extract file context patterns from selinux module Date: Fri, 29 Jul 2011 14:03:21 +0200 From: Karel Srot <ksrot@redhat.com> To: selinux@lists.fedoraproject.org Hi, could you please help me with following problem? I would like to extract context patterns from a selinux module. I know there are placed at the end of the module but I don't know (and didn't find) the module structure. Therefore I don't know how to parse them (if there are any in the module). Thank you in advance Karel Srot $ tail abrt.pp var/cache/abrt-di(/.*)? system_u:object_r:abrt_var_cache_t:s0 /var/log/abrt-logger -- system_u:object_r:abrt_var_log_t:s0 /var/run/abrt\.pid -- system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.lock -- system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.socket -s system_u:object_r:abrt_var_run_t:s0 /var/run/abrt(/.*)? system_u:object_r:abrt_var_run_t:s0 ... Karel - -- Karel Srot QE BaseOS team http://intranet.corp.redhat.com/ic/intranet/KarelSrot Email: ksrot@redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic - -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4yokoACgkQrlYvE4MpobNp1wCgpyyfWSCd5z6hMaOutlLT9dT0 chIAn2Qmq3I6XeKfYuMPrx+8SoJbV0Dr =CBv7 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: How to extract file context patterns from selinux module 2011-07-29 12:06 ` Fwd: How to extract file context patterns from selinux module Daniel J Walsh @ 2011-07-29 13:29 ` Stephen Smalley 2011-07-29 15:03 ` Daniel J Walsh 2011-07-29 15:10 ` Daniel J Walsh 0 siblings, 2 replies; 5+ messages in thread From: Stephen Smalley @ 2011-07-29 13:29 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux, Karel Srot, Steve Lawrence [-- Attachment #1: Type: text/plain, Size: 1276 bytes --] On Fri, 2011-07-29 at 08:06 -0400, Daniel J Walsh wrote: > Hi, > could you please help me with following problem? > I would like to extract context patterns from a selinux module. > I know there are placed at the end of the module but I don't know (and > didn't find) the module structure. Therefore I don't know how to parse > them (if there are any in the module). > > Thank you in advance > Karel Srot > > $ tail abrt.pp > var/cache/abrt-di(/.*)? system_u:object_r:abrt_var_cache_t:s0 > /var/log/abrt-logger -- system_u:object_r:abrt_var_log_t:s0 > /var/run/abrt\.pid -- system_u:object_r:abrt_var_run_t:s0 > /var/run/abrtd?\.lock -- system_u:object_r:abrt_var_run_t:s0 > /var/run/abrtd?\.socket -s system_u:object_r:abrt_var_run_t:s0 > /var/run/abrt(/.*)? system_u:object_r:abrt_var_run_t:s0 > ... I created this program a while ago to support unpacking the .mod file from the .pp file, and just extended it to optionally unpack the .fc file as well. If people find it useful, we could perhaps add it to policycoreutils. $ gcc -lsepol -o semodule_unpackage semodule_unpackage.c $ bunzip2 -c /usr/share/selinux/targeted/apache.pp.bz2 > apache.pp $ semodule_unpackage apache.pp apache.mod apache.fc $ cat apache.fc -- Stephen Smalley National Security Agency [-- Attachment #2: semodule_unpackage.c --] [-- Type: text/x-csrc, Size: 2359 bytes --] #include <sepol/module.h> #include <getopt.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/mman.h> #include <fcntl.h> #include <errno.h> char *progname = NULL; extern char *optarg; static void usage(char *progname) { printf("usage: %s ppfile modfile [fcfile]\n", progname); exit(1); } static int file_to_policy_file(char *filename, struct sepol_policy_file **pf, char *mode) { FILE *f; if (sepol_policy_file_create(pf)) { fprintf(stderr, "%s: Out of memory\n", progname); return -1; } f = fopen(filename, mode); if (!f) { fprintf(stderr, "%s: Could not open file %s: %s\n", progname, strerror(errno), filename); return -1; } sepol_policy_file_set_fp(*pf, f); return 0; } int main(int argc, char **argv) { struct sepol_module_package *pkg; struct sepol_policy_file *in, *out; FILE *fp; size_t len; char *ppfile, *modfile, *fcfile = NULL, *fcdata; progname = argv[0]; if (argc < 3) { usage(progname); exit(1); } ppfile = argv[1]; modfile = argv[2]; if (argc >= 3) fcfile = argv[3]; if (file_to_policy_file(ppfile, &in, "r")) exit(1); if (sepol_module_package_create(&pkg)) { fprintf(stderr, "%s: Out of memory\n", progname); exit(1); } if (sepol_module_package_read(pkg, in, 0) == -1) { fprintf(stderr, "%s: Error while reading policy module from %s\n", progname, ppfile); exit(1); } if (file_to_policy_file(modfile, &out, "w")) exit(1); if (sepol_policydb_write(sepol_module_package_get_policy(pkg), out)) { fprintf(stderr, "%s: Error while writing module to %s\n", progname, modfile); exit(1); } sepol_policy_file_free(in); sepol_policy_file_free(out); len = sepol_module_package_get_file_contexts_len(pkg); if (fcfile && len) { fp = fopen(fcfile, "w"); if (!fp) { fprintf(stderr, "%s: Could not open file %s: %s\n", progname, strerror(errno), fcfile); exit(1); } fcdata = sepol_module_package_get_file_contexts(pkg); if (fwrite(fcdata, 1, len, fp) != len) { fprintf(stderr, "%s: Could not write file %s: %s\n", progname, strerror(errno), fcfile); exit(1); } fclose(fp); } sepol_module_package_free(pkg); exit(0); } ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: How to extract file context patterns from selinux module 2011-07-29 13:29 ` Stephen Smalley @ 2011-07-29 15:03 ` Daniel J Walsh 2011-07-29 15:10 ` Daniel J Walsh 1 sibling, 0 replies; 5+ messages in thread From: Daniel J Walsh @ 2011-07-29 15:03 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux, Karel Srot, Steve Lawrence -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/29/2011 09:29 AM, Stephen Smalley wrote: > On Fri, 2011-07-29 at 08:06 -0400, Daniel J Walsh wrote: >> Hi, could you please help me with following problem? I would like >> to extract context patterns from a selinux module. I know there are >> placed at the end of the module but I don't know (and didn't find) >> the module structure. Therefore I don't know how to parse them (if >> there are any in the module). >> >> Thank you in advance Karel Srot >> >> $ tail abrt.pp var/cache/abrt-di(/.*)? >> system_u:object_r:abrt_var_cache_t:s0 /var/log/abrt-logger -- >> system_u:object_r:abrt_var_log_t:s0 /var/run/abrt\.pid -- >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.lock -- >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.socket -s >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrt(/.*)? >> system_u:object_r:abrt_var_run_t:s0 ... > > I created this program a while ago to support unpacking the .mod > file from the .pp file, and just extended it to optionally unpack the > .fc file as well. If people find it useful, we could perhaps add it > to policycoreutils. > > $ gcc -lsepol -o semodule_unpackage semodule_unpackage.c $ bunzip2 -c > /usr/share/selinux/targeted/apache.pp.bz2 > apache.pp $ > semodule_unpackage apache.pp apache.mod apache.fc $ cat apache.fc > Seems like something we should add to libselinux utils. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4yy9sACgkQrlYvE4MpobOcHQCePORi9wniOXo41D5e/PMpUHdm o0AAoMAX7pNI7CiAY3X4cWVI2TZ2VtXm =lhZe -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: How to extract file context patterns from selinux module 2011-07-29 13:29 ` Stephen Smalley 2011-07-29 15:03 ` Daniel J Walsh @ 2011-07-29 15:10 ` Daniel J Walsh 2011-07-29 16:04 ` Stephen Smalley 1 sibling, 1 reply; 5+ messages in thread From: Daniel J Walsh @ 2011-07-29 15:10 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux, Karel Srot, Steve Lawrence -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/29/2011 09:29 AM, Stephen Smalley wrote: > On Fri, 2011-07-29 at 08:06 -0400, Daniel J Walsh wrote: >> Hi, could you please help me with following problem? I would like >> to extract context patterns from a selinux module. I know there are >> placed at the end of the module but I don't know (and didn't find) >> the module structure. Therefore I don't know how to parse them (if >> there are any in the module). >> >> Thank you in advance Karel Srot >> >> $ tail abrt.pp var/cache/abrt-di(/.*)? >> system_u:object_r:abrt_var_cache_t:s0 /var/log/abrt-logger -- >> system_u:object_r:abrt_var_log_t:s0 /var/run/abrt\.pid -- >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.lock -- >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.socket -s >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrt(/.*)? >> system_u:object_r:abrt_var_run_t:s0 ... > > I created this program a while ago to support unpacking the .mod > file from the .pp file, and just extended it to optionally unpack the > .fc file as well. If people find it useful, we could perhaps add it > to policycoreutils. > > $ gcc -lsepol -o semodule_unpackage semodule_unpackage.c $ bunzip2 -c > /usr/share/selinux/targeted/apache.pp.bz2 > apache.pp $ > semodule_unpackage apache.pp apache.mod apache.fc $ cat apache.fc > The real goal should be to get back to te file? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4yzX8ACgkQrlYvE4MpobNxrQCgvYNFSjBXq/RL2ZS+je1O6QR6 WDgAni1bKNAOm/2YeThXOWyPw+UXYuAK =MwWQ -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: How to extract file context patterns from selinux module 2011-07-29 15:10 ` Daniel J Walsh @ 2011-07-29 16:04 ` Stephen Smalley 0 siblings, 0 replies; 5+ messages in thread From: Stephen Smalley @ 2011-07-29 16:04 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux, Karel Srot, Steve Lawrence On Fri, 2011-07-29 at 11:10 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/29/2011 09:29 AM, Stephen Smalley wrote: > > On Fri, 2011-07-29 at 08:06 -0400, Daniel J Walsh wrote: > >> Hi, could you please help me with following problem? I would like > >> to extract context patterns from a selinux module. I know there are > >> placed at the end of the module but I don't know (and didn't find) > >> the module structure. Therefore I don't know how to parse them (if > >> there are any in the module). > >> > >> Thank you in advance Karel Srot > >> > >> $ tail abrt.pp var/cache/abrt-di(/.*)? > >> system_u:object_r:abrt_var_cache_t:s0 /var/log/abrt-logger -- > >> system_u:object_r:abrt_var_log_t:s0 /var/run/abrt\.pid -- > >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.lock -- > >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrtd?\.socket -s > >> system_u:object_r:abrt_var_run_t:s0 /var/run/abrt(/.*)? > >> system_u:object_r:abrt_var_run_t:s0 ... > > > > I created this program a while ago to support unpacking the .mod > > file from the .pp file, and just extended it to optionally unpack the > > .fc file as well. If people find it useful, we could perhaps add it > > to policycoreutils. > > > > $ gcc -lsepol -o semodule_unpackage semodule_unpackage.c $ bunzip2 -c > > /usr/share/selinux/targeted/apache.pp.bz2 > apache.pp $ > > semodule_unpackage apache.pp apache.mod apache.fc $ cat apache.fc > > > > > The real goal should be to get back to te file? Can't do that exactly, but checkpolicy/test/dismod.c is an approximation given the .mod file. So you could write something similar to dismod.c that just dumps all of the information rather than being interactive. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-07-29 16:04 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1311941001.7994.4.camel@dhcp-30-102.brq.redhat.com>
2011-07-29 12:06 ` Fwd: How to extract file context patterns from selinux module Daniel J Walsh
2011-07-29 13:29 ` Stephen Smalley
2011-07-29 15:03 ` Daniel J Walsh
2011-07-29 15:10 ` Daniel J Walsh
2011-07-29 16:04 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.