How to Extract and Analyze SELinux .pp Policy Files on Linux Systems


1 views

SELinux policy packages (.pp files) are compiled binary representations of security policies. These files contain the rules that define how processes interact with system resources. When working with CentOS, RHEL, or other Linux distributions using SELinux, you'll frequently encounter these compiled policy files in directories like /usr/share/selinux/.

To examine .pp files, you'll need these core utilities from the SELinux toolchain:

sudo yum install policycoreutils-devel setools-console

Most policy packages come compressed. First extract them:

bunzip2 policy.pp.bz2
# Or for gzip compressed files:
gunzip policy.pp.gz

The sedismodule command can disassemble the binary policy:

sesearch --allow -d policy.pp
sedismodule -o policy.te -t policy.pp

For comprehensive analysis, use these powerful commands:

# View all policy rules:
seinfo --all policy.pp

# Check type enforcement rules:
sesearch -T policy.pp

# Examine file contexts:
seinfo -f policy.pp

Let's examine a cobbler policy package step-by-step:

# Get the policy file
cp /usr/share/selinux/targeted/cobbler.pp.bz2 ~
cd ~

# Decompress
bunzip2 cobbler.pp.bz2

# Analyze allow rules
sesearch --allow -d cobbler.pp

# Check type transitions
sesearch -T cobbler.pp | grep cobbler_t

Create HTML documentation of the policy:

sedismodule -H cobbler.html cobbler.pp

If you encounter errors like "Invalid policy file", try:

# Check file magic number
file policy.pp
# Should show "SELinux policy"

# Verify policy version match
seinfo -v policy.pp

For regular analysis, create a script like:

#!/bin/bash
POLICY=$1
sesearch --allow -d $POLICY > ${POLICY%.*}_allow_rules.txt
seinfo -f $POLICY > ${POLICY%.*}_file_contexts.txt
sedismodule -o ${POLICY%.*}.te $POLICY

SELinux policy packages (.pp files) are compiled binary policy modules that enforce security rules on Linux systems. These files are typically stored in /usr/share/selinux/<policy_type>/ and contain the actual enforcement rules that SELinux applies.

To inspect the contents of a compiled SELinux policy, you'll need these tools (install via yum install policycoreutils-devel on CentOS/RHEL):

sedismod - for disassembling policy modules
seinfo - for policy analysis
sesearch - for searching policy rules

Let's walk through a complete example with the cobbler policy mentioned in the question:

# Extract the compressed policy file
cp /usr/share/selinux/targeted/cobbler.pp.bz2 ~/
bunzip2 cobbler.pp.bz2

# Disassemble the binary policy to human-readable format
sedismod -b cobbler.pp > cobbler.te

# View the resulting Type Enforcement file
less cobbler.te

For quick checks without full disassembly, you can use:

# List all types in the policy
seinfo -t --pp cobbler.pp

# Search for specific allow rules
sesearch -A --pp cobbler.pp | grep httpd

# View file context mappings
seinfo -f --pp cobbler.pp

For deeper analysis, convert the binary policy to .cil (Common Intermediate Language) format:

semodule -E --pp cobbler.pp -o cobbler.cil
cat cobbler.cil

The .cil format provides more detailed information about policy components and their relationships.

If you encounter errors during disassembly:

  • Ensure you have policycoreutils-devel installed
  • Verify the .pp file isn't corrupted (try another policy)
  • Check SELinux tools version matches policy version