답변:
SELinux 정책 모듈은 다음 단계로 구성됩니다.
audit2allow
checkmodule
semodule_package
http://wiki.centos.org/HowTos/SELinux
postgreylocal.te
아래 내용을 가진 파일 이 있다고 가정합니다 .
module postgreylocal 1.0;
require {
type postfix_smtpd_t;
type postfix_spool_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;
allow postfix_smtpd_t postfix_spool_t:sock_file write;
postgreylocal.pp
정책 모듈은 다음과 같이 생성됩니다.
# checkmodule -M -m -o postgreylocal.mod postgreylocal.te
# semodule_package -m postgreylocal.mod -o postgreylocal.pp
이 정책 모듈의 압축을 풀려면 파일 을 추출한 다음 이진 모듈을 텍스트 표현으로 분해하는 데 사용 되는 semodule_unpackage 라는 도구가 필요합니다 ..mod
dismod
젠투에서 다음 패키지를 설치해야합니다.
[I] sys-apps/policycoreutils
Available versions: [M]2.0.82 [M](~)2.0.82-r1 [M](~)2.0.85 [M](~)2.1.0 {M}(~)2.1.0-r1
Installed versions: 2.1.0-r1(05:12:27 PM 10/14/2011)
Homepage: http://userspace.selinuxproject.org
Description: SELinux core utilities
[I] sys-apps/checkpolicy
Available versions: [M]2.0.21 [M](~)2.0.23 {M}(~)2.1.0 {debug}
Installed versions: 2.1.0(01:27:53 PM 10/14/2011)(-debug)
Homepage: http://userspace.selinuxproject.org
Description: SELinux policy compiler
[I] sys-libs/libsepol
Available versions: [M]2.0.41!t [M](~)2.0.42!t {M}(~)2.1.0!t
Installed versions: 2.1.0!t(01:25:43 PM 10/14/2011)
Homepage: http://userspace.selinuxproject.org
Description: SELinux binary policy representation library
먼저 .pp
파일 에서 모듈을 추출 하십시오.
# semodule_unpackage postgreylocal.pp postgreylocal.mod
둘째, 다음과 dismod
같이 분해하십시오 .
# cd checkpolicy-2.1.0/test/
# ls
dismod.c dispol.c Makefile
# make
cc -g -Wall -O2 -pipe -I/usr/include -c -o dispol.o dispol.c
dispol.c: In function ‘main’:
dispol.c:438:8: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dispol.c:465:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dispol.c:476:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dispol.c:500:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
cc dispol.o -lfl -lsepol -lselinux /usr/lib/libsepol.a -L/usr/lib -o dispol
cc -g -Wall -O2 -pipe -I/usr/include -c -o dismod.o dismod.c
dismod.c: In function ‘main’:
dismod.c:913:8: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dismod.c:982:9: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
dismod.c: In function ‘link_module’:
dismod.c:787:7: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
cc dismod.o -lfl -lsepol -lselinux /usr/lib/libsepol.a -L/usr/lib -o dismod
# ls
dismod dismod.c dismod.o dispol dispol.c dispol.o Makefile
./dismod postgreylocal.pp
Reading policy...
libsepol.policydb_index_others: security: 0 users, 1 roles, 3 types, 0 bools
libsepol.policydb_index_others: security: 0 sens, 0 cats
libsepol.policydb_index_others: security: 2 classes, 0 rules, 0 cond rules
libsepol.policydb_index_others: security: 0 users, 1 roles, 3 types, 0 bools
libsepol.policydb_index_others: security: 0 sens, 0 cats
libsepol.policydb_index_others: security: 2 classes, 0 rules, 0 cond rules
Binary policy module file loaded.
Module name: postgreylocal
Module version: 1.0
Select a command:
1) display unconditional AVTAB
2) display conditional AVTAB
3) display users
4) display bools
5) display roles
6) display types, attributes, and aliases
7) display role transitions
8) display role allows
9) Display policycon
0) Display initial SIDs
a) Display avrule requirements
b) Display avrule declarations
c) Display policy capabilities
l) Link in a module
u) Display the unknown handling setting
F) Display filename_trans rules
f) set output file
m) display menu
q) quit
Command ('m' for menu): 1
unconditional avtab:
--- begin avrule block ---
decl 1:
allow [postfix_smtpd_t] [initrc_t] : [unix_stream_socket] { connectto };
allow [postfix_smtpd_t] [postfix_spool_t] : [sock_file] { write };
Command ('m' for menu): a
avrule block requirements:
--- begin avrule block ---
decl 1:
commons: <empty>
classes: sock_file{ write } unix_stream_socket{ connectto }
roles : <empty>
types : postfix_smtpd_t postfix_spool_t initrc_t
users : <empty>
bools : <empty>
levels : <empty>
cats : <empty>
Command ('m' for menu):
dismod
SELinux 소스 코드에서 찾을 수 있습니다
당신은 같은 문제가 wrong magic number for module package: expected 0xf97cff8f, got 0x39685a42
있습니까?
.pp 파일은 내부적으로 bzip2 형식으로 저장되므로 bzip2 -cdk policyfile.pp > policyfile.pp.out
BEFORE
를 수행해야합니다 semodule_unpackage policyfile.pp.out policyfile.mod
.
bzip2: policy.30 is not a bzip2 file.
file
증명할 수있는 것처럼 bzip2로 압축됩니다 . 접미사가 변경되지 않더라도 ...
sedismod
입니다. 기본 설치checkpolicy
와semodule_unpack
함께 이미 사용 가능 합니다. Btw를 통해semodule_unpackage foo.pp foo.mod foo.fc
filecontexts 파일을 추출 할 수도 있습니다.