Showing port Labels

Showing port Labels

[Dave Quigley]

I am working on some slides for my workshop at oscon and I tried to find 
the context of a port a process is listening on. If I do netstat -lZ I 
see all the listening ports and a security context. However, it seems 
the security context is the context of the process that is listening on 
that port not the context of the port itself. Is there a way to see the 
context of the port itself? I don't see any other option that might give 
that information. Is there a way to get that information from proc? Or 
are the only components that know the context of a port the kernel and 
the policy store?

Re: Showing port Labels

[Dominick Grift]

On Mon, 2014-07-14 at 02:49 -0400, Dave Quigley wrote:
> I am working on some slides for my workshop at oscon and I tried to find 
> the context of a port a process is listening on. If I do netstat -lZ I 
> see all the listening ports and a security context. However, it seems 
> the security context is the context of the process that is listening on 
> that port not the context of the port itself. Is there a way to see the 
> context of the port itself? I don't see any other option that might give 
> that information. Is there a way to get that information from proc? Or 
> are the only components that know the context of a port the kernel and 
> the policy store?

It is probably not the answer you were looking for but i suppose I would
use seinfo --portcon

Re: Showing port Labels

[Stephen Smalley]

On 07/14/2014 05:25 AM, Dominick Grift wrote:
> On Mon, 2014-07-14 at 02:49 -0400, Dave Quigley wrote:
>> I am working on some slides for my workshop at oscon and I tried to find 
>> the context of a port a process is listening on. If I do netstat -lZ I 
>> see all the listening ports and a security context. However, it seems 
>> the security context is the context of the process that is listening on 
>> that port not the context of the port itself. Is there a way to see the 
>> context of the port itself? I don't see any other option that might give 
>> that information. Is there a way to get that information from proc? Or 
>> are the only components that know the context of a port the kernel and 
>> the policy store?
> 
> It is probably not the answer you were looking for but i suppose I would
> use seinfo --portcon

sepolicy network -p <portnumber>

Re: Showing port Labels

[Dominick Grift]

On Mon, 2014-07-14 at 08:58 -0400, Stephen Smalley wrote:
< snip >

> > It is probably not the answer you were looking for but i suppose I would
> > use seinfo --portcon
> 
> sepolicy network -p <portnumber>
> 
> 

Yes, but i prefer minimal/small (and preferably no interpreters):

# file /usr/bin/seinfo
/usr/bin/seinfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.32,
BuildID[sha1]=04ae4e364753b502f227216e548e1ccbf0f33e14, stripped

# file /usr/bin/sepolicy
/usr/bin/sepolicy: Python script, ASCII text executable, with very long
lines

Re: Showing port Labels

[Christopher J. PeBenito]

On 7/14/2014 9:25 AM, Dominick Grift wrote:
> On Mon, 2014-07-14 at 08:58 -0400, Stephen Smalley wrote:
> < snip >
> 
>>> It is probably not the answer you were looking for but i suppose I would
>>> use seinfo --portcon
>>
>> sepolicy network -p <portnumber>
>>
>>
> 
> Yes, but i prefer minimal/small (and preferably no interpreters):
> 
> # file /usr/bin/seinfo
> /usr/bin/seinfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
> dynamically linked (uses shared libs), for GNU/Linux 2.6.32,
> BuildID[sha1]=04ae4e364753b502f227216e548e1ccbf0f33e14, stripped
> 
> # file /usr/bin/sepolicy
> /usr/bin/sepolicy: Python script, ASCII text executable, with very long
> lines

sepolicy is using libapol from setools, so its not really different than
seinfo, other than using a Python frontend.  Since SETools 4 is Python,
you'll eventually be running low on choices if you're trying to stick to
only C tools :)

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

Re: Showing port Labels

[Dominick Grift]

On Mon, 2014-07-14 at 10:50 -0400, Christopher J. PeBenito wrote:
< snip >
> > 
> > Yes, but i prefer minimal/small (and preferably no interpreters):
> > 
> > # file /usr/bin/seinfo
> > /usr/bin/seinfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
> > dynamically linked (uses shared libs), for GNU/Linux 2.6.32,
> > BuildID[sha1]=04ae4e364753b502f227216e548e1ccbf0f33e14, stripped
> > 
> > # file /usr/bin/sepolicy
> > /usr/bin/sepolicy: Python script, ASCII text executable, with very long
> > lines
> 
> sepolicy is using libapol from setools, so its not really different than
> seinfo, other than using a Python frontend.  Since SETools 4 is Python,
> you'll eventually be running low on choices if you're trying to stick to
> only C tools :)
> 

Ah, my bait works :D

Yes i know, and i am not really happy with those developments, but then
again it is just a preference.

In case i really need minimal i can hopefully stick to setools3. It has
all the functionality i require.

Re: Showing port Labels

[Dave Quigley]

On 7/14/2014 8:58 AM, Stephen Smalley wrote:
> On 07/14/2014 05:25 AM, Dominick Grift wrote:
>> On Mon, 2014-07-14 at 02:49 -0400, Dave Quigley wrote:
>>> I am working on some slides for my workshop at oscon and I tried to find
>>> the context of a port a process is listening on. If I do netstat -lZ I
>>> see all the listening ports and a security context. However, it seems
>>> the security context is the context of the process that is listening on
>>> that port not the context of the port itself. Is there a way to see the
>>> context of the port itself? I don't see any other option that might give
>>> that information. Is there a way to get that information from proc? Or
>>> are the only components that know the context of a port the kernel and
>>> the policy store?
>>
>> It is probably not the answer you were looking for but i suppose I would
>> use seinfo --portcon
>
> sepolicy network -p <portnumber>
>
>

I was hoping there was a way to get it without probing the policy store. 
I have this and the seinfo tools already listed.

Dave

Re: Showing port Labels

[Stephen Smalley]

On 07/14/2014 12:50 PM, Dave Quigley wrote:
> On 7/14/2014 8:58 AM, Stephen Smalley wrote:
>> On 07/14/2014 05:25 AM, Dominick Grift wrote:
>>> On Mon, 2014-07-14 at 02:49 -0400, Dave Quigley wrote:
>>>> I am working on some slides for my workshop at oscon and I tried to
>>>> find
>>>> the context of a port a process is listening on. If I do netstat -lZ I
>>>> see all the listening ports and a security context. However, it seems
>>>> the security context is the context of the process that is listening on
>>>> that port not the context of the port itself. Is there a way to see the
>>>> context of the port itself? I don't see any other option that might
>>>> give
>>>> that information. Is there a way to get that information from proc? Or
>>>> are the only components that know the context of a port the kernel and
>>>> the policy store?
>>>
>>> It is probably not the answer you were looking for but i suppose I would
>>> use seinfo --portcon
>>
>> sepolicy network -p <portnumber>
>>
>>
> 
> I was hoping there was a way to get it without probing the policy store.
> I have this and the seinfo tools already listed.

I could be wrong, but I thought sepolicy (and maybe even seinfo these
days) are directly reading policy from the kernel via
/sys/fs/selinux/policy and not via the policy store.

Re: Showing port Labels

[Dave Quigley]

On 7/14/2014 8:58 AM, Stephen Smalley wrote:
> On 07/14/2014 05:25 AM, Dominick Grift wrote:
>> On Mon, 2014-07-14 at 02:49 -0400, Dave Quigley wrote:
>>> I am working on some slides for my workshop at oscon and I tried to find
>>> the context of a port a process is listening on. If I do netstat -lZ I
>>> see all the listening ports and a security context. However, it seems
>>> the security context is the context of the process that is listening on
>>> that port not the context of the port itself. Is there a way to see the
>>> context of the port itself? I don't see any other option that might give
>>> that information. Is there a way to get that information from proc? Or
>>> are the only components that know the context of a port the kernel and
>>> the policy store?
>>
>> It is probably not the answer you were looking for but i suppose I would
>> use seinfo --portcon
>
> sepolicy network -p <portnumber>
>
>

Also is there ideological reason why we don't support portcon or 
semanage port statements to override a port definition in the base module?

Dave