How to restore a policy module

All of lore.kernel.org
 help / color / mirror / Atom feed

* How to restore a policy module
@ 2014-03-21 13:29 Kim Lawson-Jenkins
  2014-03-21 13:32 ` Stephen Smalley
                   ` (3 more replies)
  0 siblings, 4 replies; 7+ messages in thread
From: Kim Lawson-Jenkins @ 2014-03-21 13:29 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 206 bytes --]

In an attempt to lockdown a system I removed the remotelogin policy module
using semodule -r.  I'm using the targeted policy on RHEL6.  How do I add
this file back to my current configuration?

 

 

 

 


[-- Attachment #2: Type: text/html, Size: 1916 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: How to restore a policy module
  2014-03-21 13:29 How to restore a policy module Kim Lawson-Jenkins
@ 2014-03-21 13:32 ` Stephen Smalley
  2014-03-21 13:35   ` Stephen Smalley
  2014-03-21 13:37 ` Ilya Frolov
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2014-03-21 13:32 UTC (permalink / raw)
  To: kim.lawson-jenkins, selinux

On 03/21/2014 09:29 AM, Kim Lawson-Jenkins wrote:
> In an attempt to lockdown a system I removed the remotelogin policy
> module using semodule –r.  I’m using the targeted policy on RHEL6.  How
> do I add this file back to my current configuration?

You can always do a yum reinstall selinux-policy-targeted to fully
reinstall the policy, or you could individually install that policy
module.  Used to be the case that a copy of each module was available
under /usr/share/selinux/targeted, so you could do a semodule -i
/usr/share/selinux/targeted/remotelogin.pp if that exists (but it seems
to have gone away in recent Fedora, likely to save on storage).

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: How to restore a policy module
  2014-03-21 13:32 ` Stephen Smalley
@ 2014-03-21 13:35   ` Stephen Smalley
  2014-03-21 13:49     ` Kim Lawson-Jenkins
  0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2014-03-21 13:35 UTC (permalink / raw)
  To: kim.lawson-jenkins, selinux

On 03/21/2014 09:32 AM, Stephen Smalley wrote:
> On 03/21/2014 09:29 AM, Kim Lawson-Jenkins wrote:
>> In an attempt to lockdown a system I removed the remotelogin policy
>> module using semodule –r.  I’m using the targeted policy on RHEL6.  How
>> do I add this file back to my current configuration?
> 
> You can always do a yum reinstall selinux-policy-targeted to fully
> reinstall the policy, or you could individually install that policy
> module.  Used to be the case that a copy of each module was available
> under /usr/share/selinux/targeted, so you could do a semodule -i
> /usr/share/selinux/targeted/remotelogin.pp if that exists (but it seems
> to have gone away in recent Fedora, likely to save on storage).

Also, if you add:
save-previous = true
to your /etc/selinux/semanage.conf
it will keep a copy of your previous policy under
/etc/selinux/targeted/modules/previous on each transaction, making it
easier to rollback changes.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: How to restore a policy module
  2014-03-21 13:29 How to restore a policy module Kim Lawson-Jenkins
  2014-03-21 13:32 ` Stephen Smalley
@ 2014-03-21 13:37 ` Ilya Frolov
  2014-03-21 13:41 ` James Carter
  2014-03-21 18:34 ` Daniel J Walsh
  3 siblings, 0 replies; 7+ messages in thread
From: Ilya Frolov @ 2014-03-21 13:37 UTC (permalink / raw)
  To: kim.lawson-jenkins; +Cc: selinux@tycho.nsa.gov

[-- Attachment #1: Type: text/plain, Size: 1421 bytes --]

Hello Kim,

i'd downloaded rpm, containing relevant module, unpacked it and then used
semodule -i /path/to/module.pp to replace it.
Also, i think simple reinstall of the policy would do the trick.

Here's what i base my assumption on:

root@selinux:/root # cp /etc/selinux/custom/modules/active/modules/apt.pp
/tmp/
root@selinux:/root # semodule -l | grep apt
apt     1.8.2
root@selinux:/root # semodule -r apt
root@selinux:/root # ls -la /etc/selinux/custom/modules/active/modules/apt*
ls: cannot access /etc/selinux/custom/modules/active/modules/apt*: No such
file or directory
root@selinux:/root # semodule -i /tmp/apt.pp
root@selinux:/root # ls -la /etc/selinux/custom/modules/active/modules/apt*
-rw-------. 1 root root 6814 Mar 21 13:33
/etc/selinux/custom/modules/active/modules/apt.pp


regards,
ilya


On Fri, Mar 21, 2014 at 5:29 PM, Kim Lawson-Jenkins <
kim.lawson-jenkins@nrl.navy.mil> wrote:

> In an attempt to lockdown a system I removed the remotelogin policy module
> using semodule –r.  I’m using the targeted policy on RHEL6.  How do I add
> this file back to my current configuration?
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
>

[-- Attachment #2: Type: text/html, Size: 2343 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: How to restore a policy module
  2014-03-21 13:29 How to restore a policy module Kim Lawson-Jenkins
  2014-03-21 13:32 ` Stephen Smalley
  2014-03-21 13:37 ` Ilya Frolov
@ 2014-03-21 13:41 ` James Carter
  2014-03-21 18:34 ` Daniel J Walsh
  3 siblings, 0 replies; 7+ messages in thread
From: James Carter @ 2014-03-21 13:41 UTC (permalink / raw)
  To: kim.lawson-jenkins, selinux

On 03/21/2014 09:29 AM, Kim Lawson-Jenkins wrote:
> In an attempt to lockdown a system I removed the remotelogin policy module
> using semodule -r.  I'm using the targeted policy on RHEL6.  How do I add
> this file back to my current configuration?
>

The pp file for the module will still be in /usr/share/selinux/targeted/.

To reinstall the module do:
semodule -i /usr/share/selinux/remotelogin.pp.bz2


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: How to restore a policy module
  2014-03-21 13:35   ` Stephen Smalley
@ 2014-03-21 13:49     ` Kim Lawson-Jenkins
  0 siblings, 0 replies; 7+ messages in thread
From: Kim Lawson-Jenkins @ 2014-03-21 13:49 UTC (permalink / raw)
  To: selinux

Thanks everyone for the rapid answers.  I was able to restore the file.

Kim

-----Original Message-----
From: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
Sent: Friday, March 21, 2014 9:35 AM
To: kim.lawson-jenkins@nrl.navy.mil; selinux@tycho.nsa.gov
Subject: Re: How to restore a policy module

On 03/21/2014 09:32 AM, Stephen Smalley wrote:
> On 03/21/2014 09:29 AM, Kim Lawson-Jenkins wrote:
>> In an attempt to lockdown a system I removed the remotelogin policy 
>> module using semodule -r.  I'm using the targeted policy on RHEL6.  
>> How do I add this file back to my current configuration?
> 
> You can always do a yum reinstall selinux-policy-targeted to fully 
> reinstall the policy, or you could individually install that policy 
> module.  Used to be the case that a copy of each module was available 
> under /usr/share/selinux/targeted, so you could do a semodule -i 
> /usr/share/selinux/targeted/remotelogin.pp if that exists (but it 
> seems to have gone away in recent Fedora, likely to save on storage).

Also, if you add:
save-previous = true
to your /etc/selinux/semanage.conf
it will keep a copy of your previous policy under
/etc/selinux/targeted/modules/previous on each transaction, making it easier
to rollback changes.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: How to restore a policy module
  2014-03-21 13:29 How to restore a policy module Kim Lawson-Jenkins
                   ` (2 preceding siblings ...)
  2014-03-21 13:41 ` James Carter
@ 2014-03-21 18:34 ` Daniel J Walsh
  3 siblings, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2014-03-21 18:34 UTC (permalink / raw)
  To: kim.lawson-jenkins, selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/21/2014 09:29 AM, Kim Lawson-Jenkins wrote:
> In an attempt to lockdown a system I removed the remotelogin policy module
> using semodule ?r.  I?m using the targeted policy on RHEL6.  How do I add
> this file back to my current configuration?
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________ Selinux mailing list 
> Selinux@tycho.nsa.gov To unsubscribe, send email to
> Selinux-leave@tycho.nsa.gov. To get help, send an email containing "help"
> to Selinux-request@tycho.nsa.gov.
> 
yum reinstall selinux-policy-targeted

Should do it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMshhsACgkQrlYvE4MpobOIsQCghsLBWa3m8QxihXmjXsmm8UcE
708AmgOi7Hp1e1FRGMyuohfqonoS4fQQ
=PP3O
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2014-03-21 18:35 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-21 13:29 How to restore a policy module Kim Lawson-Jenkins
2014-03-21 13:32 ` Stephen Smalley
2014-03-21 13:35   ` Stephen Smalley
2014-03-21 13:49     ` Kim Lawson-Jenkins
2014-03-21 13:37 ` Ilya Frolov
2014-03-21 13:41 ` James Carter
2014-03-21 18:34 ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.