FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-09-2012, 05:38 PM
Gabriele Pohl
 
Default How to get a .te file from an existing .pp file?

Hi all,

I've installed a software from the sources on a CentOS 6.2 box
and would like to setup a SELinux policy for it.

As I already use the software on my Fedora 15 server
Source RPM : BackupPC-3.2.1-7.fc15.src.rpm
I would like to use the wisdom from the existing policy module:
/usr/share/selinux/packages/BackupPC/BackupPC.pp

I found this forum thread:
http://www.linuxquestions.org/questions/showthread.php?p=4548316#post4548316


which ended with the hint:
"Use the tools from the setools package."

I tried this, but wasn't successful.
All the time running into errors telling me,
that these cannot open the policy file,
as it is no "base policy"

Can you help with instructions?
Or tell me, where to find the .te file of the Fedora package?

Thanks in advance and kind regards

Gabriele

PS: I found this instruction on how to generate the .pp
from the audit messages. So if there is really no way
to /decompile/ the .pp I will go this way:
http://www.advisorbits.com/2011/03/backuppc_on_centos_5_selinux_fix.html
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-09-2012, 05:49 PM
Dominick Grift
 
Default How to get a .te file from an existing .pp file?

On Mon, 2012-04-09 at 19:38 +0200, Gabriele Pohl wrote:
> Hi all,
>
> I've installed a software from the sources on a CentOS 6.2 box
> and would like to setup a SELinux policy for it.
>
> As I already use the software on my Fedora 15 server
> Source RPM : BackupPC-3.2.1-7.fc15.src.rpm
> I would like to use the wisdom from the existing policy module:
> /usr/share/selinux/packages/BackupPC/BackupPC.pp
>
> I found this forum thread:
> http://www.linuxquestions.org/questions/showthread.php?p=4548316#post4548316
>
>
> which ended with the hint:
> "Use the tools from the setools package."
>
> I tried this, but wasn't successful.
> All the time running into errors telling me,
> that these cannot open the policy file,
> as it is no "base policy"
>
> Can you help with instructions?
> Or tell me, where to find the .te file of the Fedora package?
>
> Thanks in advance and kind regards
>
> Gabriele
>
> PS: I found this instruction on how to generate the .pp
> from the audit messages. So if there is really no way
> to /decompile/ the .pp I will go this way:
> http://www.advisorbits.com/2011/03/backuppc_on_centos_5_selinux_fix.html

There is currently no way to disassemble .pp files as far as i know

See if the source is enclosed with the source rpm.

Other options are:

1. disable that backuppc policy module (semodle -d BackupPC) and write
your own (backuppc pretty much needs full access to the file system
often and it needs many permission so its not easy to write policy for.

2. Extent the BackupPC module. Use [ ... ] | semodule -M mybackuppc;
sudo semodule -i mybackuppc.pp or do it manually create a mybackuppc.te
file, declare a policy module, import requires types, attributes etc.
add policy rules and build and install (make
-f /usr/share/selinux/devel/Makefile mybackuppc.pp; sudo semodule -i
mybackuppc.pp

3. make backuppc permissive (unprotected) semanage permissive -a
backuppc_t

4. disable the module which causes selinux to run it in the init script
domain which is unprotected/unrestricted (semodule -d BackupPC

> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-09-2012, 05:52 PM
"Jason L Tibbitts III"
 
Default How to get a .te file from an existing .pp file?

>>>>> "GP" == Gabriele Pohl <gp@dipohl.com> writes:

GP> BackupPC-3.2.1-7.fc15.src.rpm I would like to use the wisdom from
GP> the existing policy module:
GP> /usr/share/selinux/packages/BackupPC/BackupPC.pp

In this case it is almost certainly easier to just look at the package
source. The .te file is in the spec file, on line 110:

http://pkgs.fedoraproject.org/gitweb/?p=BackupPC.git;a=blob;f=BackupPC.spec;h=4e60b3d37 8105b3e55bfeeedf90d2e003cf03225;hb=HEAD

- J<
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-09-2012, 06:04 PM
Stephen Smalley
 
Default How to get a .te file from an existing .pp file?

On Mon, 2012-04-09 at 19:49 +0200, Dominick Grift wrote:
> On Mon, 2012-04-09 at 19:38 +0200, Gabriele Pohl wrote:
> > Hi all,
> >
> > I've installed a software from the sources on a CentOS 6.2 box
> > and would like to setup a SELinux policy for it.
> >
> > As I already use the software on my Fedora 15 server
> > Source RPM : BackupPC-3.2.1-7.fc15.src.rpm
> > I would like to use the wisdom from the existing policy module:
> > /usr/share/selinux/packages/BackupPC/BackupPC.pp
> >
> > I found this forum thread:
> > http://www.linuxquestions.org/questions/showthread.php?p=4548316#post4548316
> >
> >
> > which ended with the hint:
> > "Use the tools from the setools package."
> >
> > I tried this, but wasn't successful.
> > All the time running into errors telling me,
> > that these cannot open the policy file,
> > as it is no "base policy"
> >
> > Can you help with instructions?
> > Or tell me, where to find the .te file of the Fedora package?
> >
> > Thanks in advance and kind regards
> >
> > Gabriele
> >
> > PS: I found this instruction on how to generate the .pp
> > from the audit messages. So if there is really no way
> > to /decompile/ the .pp I will go this way:
> > http://www.advisorbits.com/2011/03/backuppc_on_centos_5_selinux_fix.html
>
> There is currently no way to disassemble .pp files as far as i know

You can get most of the way there via semodule_unpackage and sedismod.
But even that will just give you a low level dump of the rules, not the
original .te sources, so it is better to get the original .te file if
you can. sedismod could use some work to produce output that can be
directly placed in a .te file; it was originally just created as a
developer/debugging tool, not for this purpose.

semodule_unpackage sources have been posted a few times and are now part
of policycoreutils in recent Fedora. sedismod is part of checkpolicy.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-09-2012, 09:21 PM
Gabriele Pohl
 
Default How to get a .te file from an existing .pp file?

Hi Jason and all who answered,

many thanks for your immediate help!

The infos are all very interesting and useful :-)

On 04/09/2012 07:52 PM, Jason L Tibbitts III wrote:
>>>>>> "GP" == Gabriele Pohl writes:
>
> GP> BackupPC-3.2.1-7.fc15.src.rpm I would like to use the wisdom from
> GP> the existing policy module:
> GP> /usr/share/selinux/packages/BackupPC/BackupPC.pp
>
> In this case it is almost certainly easier to just look at the package
> source. The .te file is in the spec file, on line 110:
>
> http://pkgs.fedoraproject.org/gitweb/?p=BackupPC.git;a=blob;f=BackupPC.spec;h=4e60b3d37 8105b3e55bfeeedf90d2e003cf03225;hb=HEAD

That is a nice solution :-)

I extracted the .te File from the source package
and built the policy module from it.

Thanks again and kind regards

Gabriele
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org