I know I can use semodule -l to see what modules I have. However, I want to see the rules contained in a specific module.
I read almost all document I can find for semodule, seinfo, sesearch. I cannot find any way to do this.
If it is possible can anyone show me how to do this?
If it is impossible can anyone explain me why it has to be so difficult? Isn't this a common practice to check what kind of rules are allowed in others' modules?
Especially if we allow rpm to carry policy modules, how would you know it is not something harmful?
When I find some string rules in there, I want to know who to blame.
update
I researched more, inspired by this post I found in new OS there is /var/lib/selinux/<store>/active/modules/<priority>/<module_name>/{cil,hll,lang_ext}
according to document:
The HLL data, cached CIL data, and HLL extension are stored in /var/lib/selinux//active/modules//<module_name>/{cil,hll,lang_ext}. The lang_ext file contains the extension of the HLL (with no newline), which is used to determine the file in the compiler directory to execute to compile the HLL data to CIL.
It seems the hll is actually a copy of .pp file. However, it is not. if I try to use semoudle_unpackage or sedismod on the hll file it throws.
libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x35685a42
semodule_unpackage: Error while reading policy module from /var/lib/selinux/targeted/active/modules/.../hll
So till now I still do not have any solution for this.
