-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/16/2013 11:06 AM, David Quigley wrote:
On 07/15/2013 11:50, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> On 07/14/2013 05:41 PM, David Quigley wrote:
>> On 07/14/2013 11:00, Dominick Grift wrote:
>>> On Sun, 2013-07-14 at 01:26 -0400, Dave Quigley wrote:
>>>> Do we have an equivalent of matchpathcon for ports? Where we can
>>>> specify a protocol and port and see what the policy thinks it
>>>> labeled?
>>>>
>>>
>>> from man sepolicy-network:
>>>
>>>> sepolicy-network(8)
>>>>
>>>> sepolicy-network(8)
>>>>
>>>> NAME sepolicy-network - Examine the SELinux Policy and generate a
>>>> network report
>>>>
>>>> SYNOPSIS sepolicy network [-h] (-l | -p PORT [PORT ...] | -t TYPE
>>>> [TYPE ...] | -d DOMAIN [DOMAIN ...])
>>>>
>>>> DESCRIPTION Use sepolicy network to examine SELinux Policy and
>>>> generate network reports.
>>>>
>>>> OPTIONS -d, --domain Generate a report listing the ports to which
>>>> the specified domain is allowed to connect and or bind.
>>>>
>>>> -l, --list List all Network Port Types defined in SELinux Policy
>>>>
>>>> -h, --help Display help message
>>>>
>>>> -t, --type Generate a report listing the port numbers associate
>>>> with the specified SELinux port type.
>>>>
>>>> -p, --port Generate a report listing the SELinux port types
>>>> associate with the specified port number.
>>>>
>>>> AUTHOR This man page was written by Daniel Walsh
>>>> <dwalsh(a)redhat.com>
>>>>
>>>> SEE ALSO sepolicy(8), selinux(8), semanage(8)
>>>>
>>>>
>>>> 20121005 sepolicy-network(8)
>>>
>>>> Dave -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> This is exactly what I needed thanks. I normally try looking through
>> semanage port -l but the problem is with ranges you can't just search
>> for what the port for something like 10234 is. This tool is exactly
>> that. I can just do sepolicy-network -p 10234. The only thing that
>> seems to be lacking is a way to specify protocol. However I don't think
>> that's a big deal since we only support 3 protocol types.
>>
>> Dave
>>
>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> sepolicy-network -p 10234 | grep udp
>
> :^)
That somewhat works :) because if you were to do sepolicy network -p 80 |
grep tcp
You still get:
80: tcp http_port_t 80 80: tcp reserved_port_t 1-511
So there is no definitive if you try to access port tcp 80 you need to be
able to bind to http_port_t. -- selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Do you have a preference of what you would like to see?
We could add
sepolicy network -p 80 -P tcp
And return only the tcp ports, but this would still get you
80: tcp http_port_t 80
80: tcp reserved_port_t 1-511
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlHlYvoACgkQrlYvE4MpobPqcQCg5F1WcoEam4HP3eSx9NW8bE5l
E0oAn30rFjegGXCd+vN6GDk/nDS72VHu
=HaZy
-----END PGP SIGNATURE-----