-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/14/2013 05:41 PM, David Quigley wrote:
> On 07/14/2013 11:00, Dominick Grift wrote:
>> On Sun, 2013-07-14 at 01:26 -0400, Dave Quigley wrote:
>>> Do we have an equivalent of matchpathcon for ports? Where we can
>>> specify a protocol and port and see what the policy thinks it
>>> labeled?
>>>
>>
>> from man sepolicy-network:
>>
>>> sepolicy-network(8)
>>>
>>> sepolicy-network(8)
>>>
>>> NAME sepolicy-network - Examine the SELinux Policy and generate a
>>> network report
>>>
>>> SYNOPSIS sepolicy network [-h] (-l | -p PORT [PORT ...] | -t TYPE
>>> [TYPE
>>> ...] | -d DOMAIN [DOMAIN ...])
>>>
>>> DESCRIPTION Use sepolicy network to examine SELinux Policy and
>>> generate
>>> network reports.
>>>
>>> OPTIONS -d, --domain Generate a report listing the ports to which
>>> the
>>> specified domain is allowed to connect and or bind.
>>>
>>> -l, --list List all Network Port Types defined in SELinux Policy
>>>
>>> -h, --help Display help message
>>>
>>> -t, --type Generate a report listing the port numbers associate
>>> with
>>> the specified SELinux port type.
>>>
>>> -p, --port Generate a report listing the SELinux port types
>>> associate
>>> with the specified port number.
>>>
>>> AUTHOR This man page was written by Daniel Walsh
>>> <dwalsh(a)redhat.com>
>>>
>>> SEE ALSO sepolicy(8), selinux(8), semanage(8)
>>>
>>>
>>> 20121005 sepolicy-network(8)
>>
>>> Dave -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> This is exactly what I needed thanks. I normally try looking through
> semanage port -l but the problem is with ranges you can't just
> search for
> what the port for something like 10234 is. This tool is exactly
> that. I can
> just do sepolicy-network -p 10234. The only thing that seems to be
> lacking
> is a way to specify protocol. However I don't think that's a big
> deal since
> we only support 3 protocol types.
>
> Dave
>
> -- selinux mailing list selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
sepolicy-network -p 10234 | grep udp
:^)
That somewhat works :) because if you were to do sepolicy network -p 80
| grep tcp
You still get:
80: tcp http_port_t 80
80: tcp reserved_port_t 1-511
So there is no definitive if you try to access port tcp 80 you need to
be able to bind to http_port_t.