How to Match SELinux Rules, Transitions, and Labels to Modules

linuxSecurityselinux

I need to match running/loaded selinux rules/transitions/labels/etc to the selinux policy modules where they are defined (semodules -l). I need this because I want to study some selinux policy modules in context and I need to know which ones I should check.

Is there any easier way to do that than to download all selinux related "src" packages, filter out the modules not in use and grep the resulting files for that info?

Best Answer

Apparently, there's not a way to do that. It might be related to the fact that the policy a machine is using is compiled from the modules, which only exist in the source code:

# file /etc/selinux/default/policy/policy.26
/etc/selinux/default/policy/policy.26: SE Linux policy v26 MLS 8 symbols 7 ocons

# file -i /etc/selinux/default/policy/policy.26
/etc/selinux/default/policy/policy.26: application/octet-stream; charset=binary

The very detail of what module included what rule is lost after the compilation step.

However, and given that you want to study some SELinux policy modules (as in some specific modules), you can do the other way round, and either:

  1. Install the refpolicy package for your distribution. It contains the source code (yes, not what you asked for, but probably the easiest way)

  2. Extract all the information from a compiled policy package file. You can find these files in /etc/selinux/$policy/modules/active/modules/*pp. A very detailed explanation on how to decompile a module has already been posted here.

Related Topic