matchportcon?
David Quigley
selinux at davequigley.com
Sun Jul 14 21:41:51 UTC 2013
On 07/14/2013 11:00, Dominick Grift wrote:
> On Sun, 2013-07-14 at 01:26 -0400, Dave Quigley wrote:
>> Do we have an equivalent of matchpathcon for ports? Where we can
>> specify
>> a protocol and port and see what the policy thinks it labeled?
>>
>
> from man sepolicy-network:
>
>> sepolicy-network(8)
>>
>> sepolicy-network(8)
>>
>> NAME
>> sepolicy-network - Examine the SELinux Policy and generate a
>> network report
>>
>> SYNOPSIS
>> sepolicy network [-h] (-l | -p PORT [PORT ...] | -t TYPE
>> [TYPE ...] | -d DOMAIN [DOMAIN ...])
>>
>> DESCRIPTION
>> Use sepolicy network to examine SELinux Policy and generate
>> network reports.
>>
>> OPTIONS
>> -d, --domain
>> Generate a report listing the ports to which the
>> specified domain is allowed to connect and or bind.
>>
>> -l, --list
>> List all Network Port Types defined in SELinux Policy
>>
>> -h, --help
>> Display help message
>>
>> -t, --type
>> Generate a report listing the port numbers associate
>> with the specified SELinux port type.
>>
>> -p, --port
>> Generate a report listing the SELinux port types
>> associate with the specified port number.
>>
>> AUTHOR
>> This man page was written by Daniel Walsh <dwalsh at redhat.com>
>>
>> SEE ALSO
>> sepolicy(8), selinux(8), semanage(8)
>>
>>
>> 20121005
>> sepolicy-network(8)
>
>> Dave
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
This is exactly what I needed thanks. I normally try looking through
semanage port -l but the problem is with ranges you can't just search
for what the port for something like 10234 is. This tool is exactly
that. I can just do sepolicy-network -p 10234. The only thing that seems
to be lacking is a way to specify protocol. However I don't think that's
a big deal since we only support 3 protocol types.
Dave
More information about the selinux
mailing list