-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/16/2013 11:06 AM, David Quigley wrote: > On 07/15/2013 11:50, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 07/14/2013 05:41 PM, David Quigley wrote: >>> On 07/14/2013 11:00, Dominick Grift wrote: >>>> On Sun, 2013-07-14 at 01:26 -0400, Dave Quigley wrote: >>>>> Do we have an equivalent of matchpathcon for ports? Where we can >>>>> specify a protocol and port and see what the policy thinks it >>>>> labeled? >>>>> >>>> >>>> from man sepolicy-network: >>>> >>>>> sepolicy-network(8) >>>>> >>>>> sepolicy-network(8) >>>>> >>>>> NAME sepolicy-network - Examine the SELinux Policy and generate a >>>>> network report >>>>> >>>>> SYNOPSIS sepolicy network [-h] (-l | -p PORT [PORT ...] | -t TYPE >>>>> [TYPE ...] | -d DOMAIN [DOMAIN ...]) >>>>> >>>>> DESCRIPTION Use sepolicy network to examine SELinux Policy and >>>>> generate network reports. >>>>> >>>>> OPTIONS -d, --domain Generate a report listing the ports to which >>>>> the specified domain is allowed to connect and or bind. >>>>> >>>>> -l, --list List all Network Port Types defined in SELinux Policy >>>>> >>>>> -h, --help Display help message >>>>> >>>>> -t, --type Generate a report listing the port numbers associate >>>>> with the specified SELinux port type. >>>>> >>>>> -p, --port Generate a report listing the SELinux port types >>>>> associate with the specified port number. >>>>> >>>>> AUTHOR This man page was written by Daniel Walsh >>>>> <dwalsh@xxxxxxxxxx> >>>>> >>>>> SEE ALSO sepolicy(8), selinux(8), semanage(8) >>>>> >>>>> >>>>> 20121005 sepolicy-network(8) >>>> >>>>> Dave -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> This is exactly what I needed thanks. I normally try looking through >>> semanage port -l but the problem is with ranges you can't just search >>> for what the port for something like 10234 is. This tool is exactly >>> that. I can just do sepolicy-network -p 10234. The only thing that >>> seems to be lacking is a way to specify protocol. However I don't think >>> that's a big deal since we only support 3 protocol types. >>> >>> Dave >>> >>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> sepolicy-network -p 10234 | grep udp >> >> :^) > > That somewhat works :) because if you were to do sepolicy network -p 80 | > grep tcp > > You still get: > > 80: tcp http_port_t 80 80: tcp reserved_port_t 1-511 > > So there is no definitive if you try to access port tcp 80 you need to be > able to bind to http_port_t. -- selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > Do you have a preference of what you would like to see? We could add sepolicy network -p 80 -P tcp And return only the tcp ports, but this would still get you 80: tcp http_port_t 80 80: tcp reserved_port_t 1-511 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlHlYvoACgkQrlYvE4MpobPqcQCg5F1WcoEam4HP3eSx9NW8bE5l E0oAn30rFjegGXCd+vN6GDk/nDS72VHu =HaZy -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
