danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
New Security Feature in Fedora 18 Part 8: Introducing sepolicy network
danwalsh
One problem uses have with SELinux is understanding the network protections.  SELinux controls which ports a domain is able to connect to and which ports it is able to bind to.  Since SELinux is a type enforcement system, it controls ports access via types.  Processes get assigned types and port numbers get assigned types.  Since users think in terms of port numbers, we built a tool to more easily allow users understand the relationships.  I orginally called this tool senetwork, but now we are shipping it as part of the sepolicy suite.


> man sepolicy-network
sepolicy-network(8)                                                                                                            sepolicy-network(8)

NAME
       sepolicy-network - Examine the SELinux Policy and generate a network report

SYNOPSIS
       sepolicy network [-h] (-l | -p PORT [PORT ...] | -t TYPE [TYPE ...] | -d DOMAIN [DOMAIN ...])

DESCRIPTION
       Use sepolicy network to examine SELinux Policy and generate network reports.

OPTIONS
       -d, --domain
              Generate a report listing the ports to which the specified domain is allowed to connect and or bind.

       -l, --list
              List all Network Port Types defined in SELinux Policy

       -h, --help
              Display help message

       -t, --type
              Generate a report listing the port numbers associate with the specified SELinux port type.

       -p, --port
              Generate a report listing the SELinux port types associate with the specified port number.



sepolicy network allows you to ask SELinux what port type is associated with a specific port number.


sepolicy network --port 8080
8080: tcp unreserved_port_t 1024-32767
8080: udp unreserved_port_t 1024-32767
8080: tcp http_cache_port_t 8080


Or what port number is associated with a port type.

sepolicy network -t dns_port_t
dns_port_t: tcp: 53
dns_port_t: udp: 53


Note that sepolicy also supports bash completion.

sepolicy network -t d<tab>
daap_port_t     dccm_port_t     dhcpc_port_t    dict_port_t     dns_port_t      dogtag_port_t  
dbskkd_port_t   dcc_port_t      dhcpd_port_t    distccd_port_t  dnssec_port_t  


Finally you can ask which ports a process domain type is allowed to connect or bind:

# sepolicy network -d cupsd_t
cupsd_t: tcp name_connect
    all ports
cupsd_t: tcp name_bind
    reserved_port_t: 1-511
    rpc_port_type: all ports > 500 and  < 1024
    ipp_port_t: 631,8610-8614
cupsd_t: udp name_bind
    howl_port_t: 5353
    ipp_port_t: 631,8610-8614


You are viewing danwalsh