* Showing port Labels @ 2014-07-14 6:49 Dave Quigley 2014-07-14 9:25 ` Dominick Grift 0 siblings, 1 reply; 9+ messages in thread From: Dave Quigley @ 2014-07-14 6:49 UTC (permalink / raw) To: selinux I am working on some slides for my workshop at oscon and I tried to find the context of a port a process is listening on. If I do netstat -lZ I see all the listening ports and a security context. However, it seems the security context is the context of the process that is listening on that port not the context of the port itself. Is there a way to see the context of the port itself? I don't see any other option that might give that information. Is there a way to get that information from proc? Or are the only components that know the context of a port the kernel and the policy store? ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Showing port Labels 2014-07-14 6:49 Showing port Labels Dave Quigley @ 2014-07-14 9:25 ` Dominick Grift 2014-07-14 12:58 ` Stephen Smalley 0 siblings, 1 reply; 9+ messages in thread From: Dominick Grift @ 2014-07-14 9:25 UTC (permalink / raw) To: Dave Quigley; +Cc: selinux On Mon, 2014-07-14 at 02:49 -0400, Dave Quigley wrote: > I am working on some slides for my workshop at oscon and I tried to find > the context of a port a process is listening on. If I do netstat -lZ I > see all the listening ports and a security context. However, it seems > the security context is the context of the process that is listening on > that port not the context of the port itself. Is there a way to see the > context of the port itself? I don't see any other option that might give > that information. Is there a way to get that information from proc? Or > are the only components that know the context of a port the kernel and > the policy store? It is probably not the answer you were looking for but i suppose I would use seinfo --portcon ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Showing port Labels 2014-07-14 9:25 ` Dominick Grift @ 2014-07-14 12:58 ` Stephen Smalley 2014-07-14 13:25 ` Dominick Grift ` (2 more replies) 0 siblings, 3 replies; 9+ messages in thread From: Stephen Smalley @ 2014-07-14 12:58 UTC (permalink / raw) To: Dominick Grift, Dave Quigley; +Cc: selinux On 07/14/2014 05:25 AM, Dominick Grift wrote: > On Mon, 2014-07-14 at 02:49 -0400, Dave Quigley wrote: >> I am working on some slides for my workshop at oscon and I tried to find >> the context of a port a process is listening on. If I do netstat -lZ I >> see all the listening ports and a security context. However, it seems >> the security context is the context of the process that is listening on >> that port not the context of the port itself. Is there a way to see the >> context of the port itself? I don't see any other option that might give >> that information. Is there a way to get that information from proc? Or >> are the only components that know the context of a port the kernel and >> the policy store? > > It is probably not the answer you were looking for but i suppose I would > use seinfo --portcon sepolicy network -p <portnumber> ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Showing port Labels 2014-07-14 12:58 ` Stephen Smalley @ 2014-07-14 13:25 ` Dominick Grift 2014-07-14 14:50 ` Christopher J. PeBenito 2014-07-14 16:50 ` Dave Quigley 2014-07-14 16:52 ` Dave Quigley 2 siblings, 1 reply; 9+ messages in thread From: Dominick Grift @ 2014-07-14 13:25 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux On Mon, 2014-07-14 at 08:58 -0400, Stephen Smalley wrote: < snip > > > It is probably not the answer you were looking for but i suppose I would > > use seinfo --portcon > > sepolicy network -p <portnumber> > > Yes, but i prefer minimal/small (and preferably no interpreters): # file /usr/bin/seinfo /usr/bin/seinfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=04ae4e364753b502f227216e548e1ccbf0f33e14, stripped # file /usr/bin/sepolicy /usr/bin/sepolicy: Python script, ASCII text executable, with very long lines ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Showing port Labels 2014-07-14 13:25 ` Dominick Grift @ 2014-07-14 14:50 ` Christopher J. PeBenito 2014-07-14 15:10 ` Dominick Grift 0 siblings, 1 reply; 9+ messages in thread From: Christopher J. PeBenito @ 2014-07-14 14:50 UTC (permalink / raw) To: Dominick Grift, Stephen Smalley; +Cc: selinux On 7/14/2014 9:25 AM, Dominick Grift wrote: > On Mon, 2014-07-14 at 08:58 -0400, Stephen Smalley wrote: > < snip > > >>> It is probably not the answer you were looking for but i suppose I would >>> use seinfo --portcon >> >> sepolicy network -p <portnumber> >> >> > > Yes, but i prefer minimal/small (and preferably no interpreters): > > # file /usr/bin/seinfo > /usr/bin/seinfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), > dynamically linked (uses shared libs), for GNU/Linux 2.6.32, > BuildID[sha1]=04ae4e364753b502f227216e548e1ccbf0f33e14, stripped > > # file /usr/bin/sepolicy > /usr/bin/sepolicy: Python script, ASCII text executable, with very long > lines sepolicy is using libapol from setools, so its not really different than seinfo, other than using a Python frontend. Since SETools 4 is Python, you'll eventually be running low on choices if you're trying to stick to only C tools :) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Showing port Labels 2014-07-14 14:50 ` Christopher J. PeBenito @ 2014-07-14 15:10 ` Dominick Grift 0 siblings, 0 replies; 9+ messages in thread From: Dominick Grift @ 2014-07-14 15:10 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: Stephen Smalley, selinux On Mon, 2014-07-14 at 10:50 -0400, Christopher J. PeBenito wrote: < snip > > > > > Yes, but i prefer minimal/small (and preferably no interpreters): > > > > # file /usr/bin/seinfo > > /usr/bin/seinfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), > > dynamically linked (uses shared libs), for GNU/Linux 2.6.32, > > BuildID[sha1]=04ae4e364753b502f227216e548e1ccbf0f33e14, stripped > > > > # file /usr/bin/sepolicy > > /usr/bin/sepolicy: Python script, ASCII text executable, with very long > > lines > > sepolicy is using libapol from setools, so its not really different than > seinfo, other than using a Python frontend. Since SETools 4 is Python, > you'll eventually be running low on choices if you're trying to stick to > only C tools :) > Ah, my bait works :D Yes i know, and i am not really happy with those developments, but then again it is just a preference. In case i really need minimal i can hopefully stick to setools3. It has all the functionality i require. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Showing port Labels 2014-07-14 12:58 ` Stephen Smalley 2014-07-14 13:25 ` Dominick Grift @ 2014-07-14 16:50 ` Dave Quigley 2014-07-14 16:51 ` Stephen Smalley 2014-07-14 16:52 ` Dave Quigley 2 siblings, 1 reply; 9+ messages in thread From: Dave Quigley @ 2014-07-14 16:50 UTC (permalink / raw) To: Stephen Smalley, Dominick Grift; +Cc: selinux On 7/14/2014 8:58 AM, Stephen Smalley wrote: > On 07/14/2014 05:25 AM, Dominick Grift wrote: >> On Mon, 2014-07-14 at 02:49 -0400, Dave Quigley wrote: >>> I am working on some slides for my workshop at oscon and I tried to find >>> the context of a port a process is listening on. If I do netstat -lZ I >>> see all the listening ports and a security context. However, it seems >>> the security context is the context of the process that is listening on >>> that port not the context of the port itself. Is there a way to see the >>> context of the port itself? I don't see any other option that might give >>> that information. Is there a way to get that information from proc? Or >>> are the only components that know the context of a port the kernel and >>> the policy store? >> >> It is probably not the answer you were looking for but i suppose I would >> use seinfo --portcon > > sepolicy network -p <portnumber> > > I was hoping there was a way to get it without probing the policy store. I have this and the seinfo tools already listed. Dave ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Showing port Labels 2014-07-14 16:50 ` Dave Quigley @ 2014-07-14 16:51 ` Stephen Smalley 0 siblings, 0 replies; 9+ messages in thread From: Stephen Smalley @ 2014-07-14 16:51 UTC (permalink / raw) To: Dave Quigley, Dominick Grift; +Cc: selinux On 07/14/2014 12:50 PM, Dave Quigley wrote: > On 7/14/2014 8:58 AM, Stephen Smalley wrote: >> On 07/14/2014 05:25 AM, Dominick Grift wrote: >>> On Mon, 2014-07-14 at 02:49 -0400, Dave Quigley wrote: >>>> I am working on some slides for my workshop at oscon and I tried to >>>> find >>>> the context of a port a process is listening on. If I do netstat -lZ I >>>> see all the listening ports and a security context. However, it seems >>>> the security context is the context of the process that is listening on >>>> that port not the context of the port itself. Is there a way to see the >>>> context of the port itself? I don't see any other option that might >>>> give >>>> that information. Is there a way to get that information from proc? Or >>>> are the only components that know the context of a port the kernel and >>>> the policy store? >>> >>> It is probably not the answer you were looking for but i suppose I would >>> use seinfo --portcon >> >> sepolicy network -p <portnumber> >> >> > > I was hoping there was a way to get it without probing the policy store. > I have this and the seinfo tools already listed. I could be wrong, but I thought sepolicy (and maybe even seinfo these days) are directly reading policy from the kernel via /sys/fs/selinux/policy and not via the policy store. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Showing port Labels 2014-07-14 12:58 ` Stephen Smalley 2014-07-14 13:25 ` Dominick Grift 2014-07-14 16:50 ` Dave Quigley @ 2014-07-14 16:52 ` Dave Quigley 2 siblings, 0 replies; 9+ messages in thread From: Dave Quigley @ 2014-07-14 16:52 UTC (permalink / raw) To: Stephen Smalley, Dominick Grift; +Cc: selinux On 7/14/2014 8:58 AM, Stephen Smalley wrote: > On 07/14/2014 05:25 AM, Dominick Grift wrote: >> On Mon, 2014-07-14 at 02:49 -0400, Dave Quigley wrote: >>> I am working on some slides for my workshop at oscon and I tried to find >>> the context of a port a process is listening on. If I do netstat -lZ I >>> see all the listening ports and a security context. However, it seems >>> the security context is the context of the process that is listening on >>> that port not the context of the port itself. Is there a way to see the >>> context of the port itself? I don't see any other option that might give >>> that information. Is there a way to get that information from proc? Or >>> are the only components that know the context of a port the kernel and >>> the policy store? >> >> It is probably not the answer you were looking for but i suppose I would >> use seinfo --portcon > > sepolicy network -p <portnumber> > > Also is there ideological reason why we don't support portcon or semanage port statements to override a port definition in the base module? Dave ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2014-07-14 16:52 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-07-14 6:49 Showing port Labels Dave Quigley 2014-07-14 9:25 ` Dominick Grift 2014-07-14 12:58 ` Stephen Smalley 2014-07-14 13:25 ` Dominick Grift 2014-07-14 14:50 ` Christopher J. PeBenito 2014-07-14 15:10 ` Dominick Grift 2014-07-14 16:50 ` Dave Quigley 2014-07-14 16:51 ` Stephen Smalley 2014-07-14 16:52 ` Dave Quigley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.