Re: matchportcon?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/14/2013 05:41 PM, David Quigley wrote: > On 07/14/2013 11:00, Dominick Grift wrote: >> On Sun, 2013-07-14 at 01:26 -0400, Dave Quigley wrote: >>> Do we have an equivalent of matchpathcon for ports? Where we can >>> specify a protocol and port and see what the policy thinks it >>> labeled? >>> >> >> from man sepolicy-network: >> >>> sepolicy-network(8) >>> >>> sepolicy-network(8) >>> >>> NAME sepolicy-network - Examine the SELinux Policy and generate a >>> network report >>> >>> SYNOPSIS sepolicy network [-h] (-l | -p PORT [PORT ...] | -t TYPE >>> [TYPE >>> ...] | -d DOMAIN [DOMAIN ...]) >>> >>> DESCRIPTION Use sepolicy network to examine SELinux Policy and >>> generate >>> network reports. >>> >>> OPTIONS -d, --domain Generate a report listing the ports to which >>> the >>> specified domain is allowed to connect and or bind. >>> >>> -l, --list List all Network Port Types defined in SELinux Policy >>> >>> -h, --help Display help message >>> >>> -t, --type Generate a report listing the port numbers associate >>> with >>> the specified SELinux port type. >>> >>> -p, --port Generate a report listing the SELinux port types >>> associate >>> with the specified port number. >>> >>> AUTHOR This man page was written by Daniel Walsh >>> <dwalsh(a)redhat.com&gt; >>> >>> SEE ALSO sepolicy(8), selinux(8), semanage(8) >>> >>> >>> 20121005 sepolicy-network(8) >> >>> Dave -- selinux mailing list selinux(a)lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > This is exactly what I needed thanks. I normally try looking through > semanage port -l but the problem is with ranges you can't just > search for > what the port for something like 10234 is. This tool is exactly > that. I can > just do sepolicy-network -p 10234. The only thing that seems to be > lacking > is a way to specify protocol. However I don't think that's a big > deal since > we only support 3 protocol types. > > Dave > > -- selinux mailing list selinux(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux sepolicy-network -p 10234 | grep udp :^)