Dan Walsh's Blog

Got SELinux?

Previous Entry Add to Memories Share Next Entry
New Security Feature in Fedora 18 Part 8: Introducing sepolicy network
One problem uses have with SELinux is understanding the network protections.  SELinux controls which ports a domain is able to connect to and which ports it is able to bind to.  Since SELinux is a type enforcement system, it controls ports access via types.  Processes get assigned types and port numbers get assigned types.  Since users think in terms of port numbers, we built a tool to more easily allow users understand the relationships.  I orginally called this tool senetwork, but now we are shipping it as part of the sepolicy suite.

> man sepolicy-network
sepolicy-network(8)                                                                                                            sepolicy-network(8)

       sepolicy-network - Examine the SELinux Policy and generate a network report

       sepolicy network [-h] (-l | -p PORT [PORT ...] | -t TYPE [TYPE ...] | -d DOMAIN [DOMAIN ...])

       Use sepolicy network to examine SELinux Policy and generate network reports.

       -d, --domain
              Generate a report listing the ports to which the specified domain is allowed to connect and or bind.

       -l, --list
              List all Network Port Types defined in SELinux Policy

       -h, --help
              Display help message

       -t, --type
              Generate a report listing the port numbers associate with the specified SELinux port type.

       -p, --port
              Generate a report listing the SELinux port types associate with the specified port number.

sepolicy network allows you to ask SELinux what port type is associated with a specific port number.

sepolicy network --port 8080
8080: tcp unreserved_port_t 1024-32767
8080: udp unreserved_port_t 1024-32767
8080: tcp http_cache_port_t 8080

Or what port number is associated with a port type.

sepolicy network -t dns_port_t
dns_port_t: tcp: 53
dns_port_t: udp: 53

Note that sepolicy also supports bash completion.

sepolicy network -t d<tab>
daap_port_t     dccm_port_t     dhcpc_port_t    dict_port_t     dns_port_t      dogtag_port_t  
dbskkd_port_t   dcc_port_t      dhcpd_port_t    distccd_port_t  dnssec_port_t  

Finally you can ask which ports a process domain type is allowed to connect or bind:

# sepolicy network -d cupsd_t
cupsd_t: tcp name_connect
    all ports
cupsd_t: tcp name_bind
    reserved_port_t: 1-511
    rpc_port_type: all ports > 500 and  < 1024
    ipp_port_t: 631,8610-8614
cupsd_t: udp name_bind
    howl_port_t: 5353
    ipp_port_t: 631,8610-8614

You are viewing danwalsh