Dan Walsh's Blog

One problem uses have with SELinux is understanding the network protections. SELinux controls which ports a domain is able to connect to and which ports it is able to bind to. Since SELinux is a type enforcement system, it controls ports access via types. Processes get assigned types and port numbers get assigned types. Since users think in terms of port numbers, we built a tool to more easily allow users understand the relationships. I orginally called this tool senetwork, but now we are shipping it as part of the sepolicy suite.

> man sepolicy-network
sepolicy-network(8)                                                                                                            sepolicy-network(8)

NAME
       sepolicy-network - Examine the SELinux Policy and generate a network report

SYNOPSIS
       sepolicy network [-h] (-l | -p PORT [PORT ...] | -t TYPE [TYPE ...] | -d DOMAIN [DOMAIN ...])

DESCRIPTION
       Use sepolicy network to examine SELinux Policy and generate network reports.

OPTIONS
       -d, --domain
              Generate a report listing the ports to which the specified domain is allowed to connect and or bind.

       -l, --list
              List all Network Port Types defined in SELinux Policy

       -h, --help
              Display help message

       -t, --type
              Generate a report listing the port numbers associate with the specified SELinux port type.

       -p, --port
              Generate a report listing the SELinux port types associate with the specified port number.

sepolicy network allows you to ask SELinux what port type is associated with a specific port number.

sepolicy network --port 8080
8080: tcp unreserved_port_t 1024-32767
8080: udp unreserved_port_t 1024-32767
8080: tcp http_cache_port_t 8080

Or what port number is associated with a port type.

sepolicy network -t dns_port_t
dns_port_t: tcp: 53
dns_port_t: udp: 53

Note that sepolicy also supports bash completion.

sepolicy network -t d<tab>
daap_port_t     dccm_port_t     dhcpc_port_t    dict_port_t     dns_port_t      dogtag_port_t
dbskkd_port_t   dcc_port_t      dhcpd_port_t    distccd_port_t dnssec_port_t

Finally you can ask which ports a process domain type is allowed to connect or bind:

# sepolicy network -d cupsd_t
cupsd_t: tcp name_connect
    all ports
cupsd_t: tcp name_bind
    reserved_port_t: 1-511
    rpc_port_type: all ports > 500 and < 1024
    ipp_port_t: 631,8610-8614
cupsd_t: udp name_bind
    howl_port_t: 5353
    ipp_port_t: 631,8610-8614

From:	LiveJournal Facebook Twitter OpenID Google Mail.Ru VKontakte Anonymous LiveJournal Don't have an account? Create one now. Facebook You can easily comment on posts under your Facebook account Twitter You can easily comment on posts at LiveJournal under your Twitter account OpenID Identity URL: Google You can easily comment on posts at LiveJournal under your Google account Mail.Ru You can easily comment on posts under your Mail.ru account VKontakte You can easily comment on posts at LiveJournal under your VKontakte account Anonymous - this user has disabled anonymous posting.
Subject:	No HTML allowed in subject Don't auto-format:
Message:

	Check spelling during preview
	(will be screened)

S	M	T	W	T	F	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30

danwalsh

Got SELinux?