* matchportcon?
@ 2013-07-14 5:26 Dave Quigley
2013-07-15 13:03 ` matchportcon? Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Dave Quigley @ 2013-07-14 5:26 UTC (permalink / raw)
To: SELinux List
Do we have an equivalent of matchpathcon for ports? Where we can specify
a protocol and port and see what the policy thinks it labeled?
Dave
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: matchportcon?
2013-07-14 5:26 matchportcon? Dave Quigley
@ 2013-07-15 13:03 ` Stephen Smalley
2013-07-15 13:07 ` matchportcon? David Quigley
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2013-07-15 13:03 UTC (permalink / raw)
To: Dave Quigley; +Cc: SELinux List
On 07/14/2013 01:26 AM, Dave Quigley wrote:
> Do we have an equivalent of matchpathcon for ports? Where we can specify
> a protocol and port and see what the policy thinks it labeled?
Closest approximation I can think of would be to use
checkpolicy -Mdb /path/to/policy
and then choose 9, input the protocol and port number, choose 1, and
input the SID that was displayed.
It would be very nice to have a more user-friendly (and scriptable)
interface to the checkpolicy -d (debug) functionality.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: matchportcon?
2013-07-15 13:03 ` matchportcon? Stephen Smalley
@ 2013-07-15 13:07 ` David Quigley
2013-07-15 15:23 ` matchportcon? Daniel J Walsh
0 siblings, 1 reply; 4+ messages in thread
From: David Quigley @ 2013-07-15 13:07 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SELinux List
On 07/15/2013 09:03, Stephen Smalley wrote:
> On 07/14/2013 01:26 AM, Dave Quigley wrote:
>> Do we have an equivalent of matchpathcon for ports? Where we can
>> specify
>> a protocol and port and see what the policy thinks it labeled?
>
> Closest approximation I can think of would be to use
> checkpolicy -Mdb /path/to/policy
> and then choose 9, input the protocol and port number, choose 1, and
> input the SID that was displayed.
>
> It would be very nice to have a more user-friendly (and scriptable)
> interface to the checkpolicy -d (debug) functionality.
So over on fedora-selinux dominic grift suggested I use sepolicy
network to check it out. The only issue with its usage is that it
doesn't tell you what it actually is. Instead it gives you all rules
that will match and you have to realize the most specific one wins. It
is however sufficient for my talk so I'll probably use it.
Dave
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: matchportcon?
2013-07-15 13:07 ` matchportcon? David Quigley
@ 2013-07-15 15:23 ` Daniel J Walsh
0 siblings, 0 replies; 4+ messages in thread
From: Daniel J Walsh @ 2013-07-15 15:23 UTC (permalink / raw)
To: David Quigley; +Cc: Stephen Smalley, SELinux List
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/15/2013 09:07 AM, David Quigley wrote:
> On 07/15/2013 09:03, Stephen Smalley wrote:
>> On 07/14/2013 01:26 AM, Dave Quigley wrote:
>>> Do we have an equivalent of matchpathcon for ports? Where we can
>>> specify a protocol and port and see what the policy thinks it labeled?
>>
>> Closest approximation I can think of would be to use checkpolicy -Mdb
>> /path/to/policy and then choose 9, input the protocol and port number,
>> choose 1, and input the SID that was displayed.
>>
>> It would be very nice to have a more user-friendly (and scriptable)
>> interface to the checkpolicy -d (debug) functionality.
>
>
> So over on fedora-selinux dominic grift suggested I use sepolicy network
> to check it out. The only issue with its usage is that it doesn't tell you
> what it actually is. Instead it gives you all rules that will match and you
> have to realize the most specific one wins. It is however sufficient for my
> talk so I'll probably use it.
>
> Dave
>
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes
> as the message.
>
>
sepolicy network -p 80
80: tcp http_port_t 80
80: udp reserved_port_t 1-511
80: tcp reserved_port_t 1-511
sepolicy is reading the info from the running kernel.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHkFAoACgkQrlYvE4MpobPyjACZATRsJA2eCVvP+Sxh2JLNFsMh
UDAAoJsKirzrltnsHyzcqOlD0Ff1ompX
=9wDr
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-07-15 15:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-07-14 5:26 matchportcon? Dave Quigley
2013-07-15 13:03 ` matchportcon? Stephen Smalley
2013-07-15 13:07 ` matchportcon? David Quigley
2013-07-15 15:23 ` matchportcon? Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.