Re: matchportcon?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/16/2013 11:06 AM, David Quigley wrote:
> On 07/15/2013 11:50, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 07/14/2013 05:41 PM, David Quigley wrote:
>>> On 07/14/2013 11:00, Dominick Grift wrote:
>>>> On Sun, 2013-07-14 at 01:26 -0400, Dave Quigley wrote:
>>>>> Do we have an equivalent of matchpathcon for ports? Where we can 
>>>>> specify a protocol and port and see what the policy thinks it
>>>>> labeled?
>>>>> 
>>>> 
>>>> from man sepolicy-network:
>>>> 
>>>>> sepolicy-network(8)
>>>>> 
>>>>> sepolicy-network(8)
>>>>> 
>>>>> NAME sepolicy-network - Examine the SELinux Policy and generate a 
>>>>> network report
>>>>> 
>>>>> SYNOPSIS sepolicy network [-h] (-l | -p PORT [PORT ...] | -t TYPE
>>>>> [TYPE ...] | -d DOMAIN [DOMAIN ...])
>>>>> 
>>>>> DESCRIPTION Use sepolicy network to examine SELinux Policy and
>>>>> generate network reports.
>>>>> 
>>>>> OPTIONS -d, --domain Generate a report listing the ports to which
>>>>> the specified domain is allowed to connect and or bind.
>>>>> 
>>>>> -l, --list List all Network Port Types defined in SELinux Policy
>>>>> 
>>>>> -h, --help Display help message
>>>>> 
>>>>> -t, --type Generate a report listing the port numbers associate
>>>>> with the specified SELinux port type.
>>>>> 
>>>>> -p, --port Generate a report listing the SELinux port types
>>>>> associate with the specified port number.
>>>>> 
>>>>> AUTHOR This man page was written by Daniel Walsh
>>>>> <dwalsh@xxxxxxxxxx>
>>>>> 
>>>>> SEE ALSO sepolicy(8), selinux(8), semanage(8)
>>>>> 
>>>>> 
>>>>> 20121005 sepolicy-network(8)
>>>> 
>>>>> Dave -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> 
>>> This is exactly what I needed thanks. I normally try looking through 
>>> semanage port -l but the problem is with ranges you can't just search
>>> for what the port for something like 10234 is. This tool is exactly
>>> that. I can just do sepolicy-network -p 10234. The only thing that
>>> seems to be lacking is a way to specify protocol. However I don't think
>>> that's a big deal since we only support 3 protocol types.
>>> 
>>> Dave
>>> 
>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> 
>> sepolicy-network -p 10234 | grep udp
>> 
>> :^)
> 
> That somewhat works :) because if you were to do sepolicy network -p 80 |
> grep tcp
> 
> You still get:
> 
> 80: tcp http_port_t 80 80: tcp reserved_port_t 1-511
> 
> So there is no definitive if you try to access port tcp 80 you need to be
> able to bind to http_port_t. -- selinux mailing list 
> selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
Do you have a preference of what you would like to see?

We could add

sepolicy network -p 80 -P tcp

And return only the tcp ports, but this would still get you

80: tcp http_port_t 80
80: tcp reserved_port_t 1-511


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHlYvoACgkQrlYvE4MpobPqcQCg5F1WcoEam4HP3eSx9NW8bE5l
E0oAn30rFjegGXCd+vN6GDk/nDS72VHu
=HaZy
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux