A couple of years ago I added some python bindings for setools. I hoped we would start to see new tools arise to analyze SELinux policy. Maybe making SELinux easier to user and understand.
Lately I have gone back to these tools and started playing with them to see what tools I could build.
Last couple of days I have hacked together a little script called senetwork.
The goal was to answering questions like:
What ports can a particular domain connect to? Bind to?
# senetwork ftpd_t
ftpd_t tcp name_connect
ftpd_t tcp name_bind
port_t: all ports with out defined types
What type(s) are associated with a particular port number?
# senetwork 8080
8080: tcp unreserved_port_t 1024-32767
8080: udp unreserved_port_t 1024-32767
8080: tcp http_cache_port_t 8080
What ports are associated with a particular port_type?
# senetwork ftp_port_t
ftp_port_t: tcp: 21,990
ftp_port_t: udp: 990
Basically senetwork looks at the argument and figures out whether or not it is a number, port type or domain type
and then prints out the information.
I plan on packaging up these little scriptlets with setools-console.
Dan Walsh's Blog
- senetwork: new tool for examining SELinux networking policy.