avc_netlink_check_nb - Linux
Overview
avc_netlink_check_nb is a command-line tool used in SELinux (Security-Enhanced Linux) to verify if a specified network connection is allowed under the current SELinux security policy.
Syntax
avc_netlink_check_nb [options] <src ip> <src port> <dst ip> <dst port> <proto>
Options/Flags
- -P policysrc: Specifies the source policy module to use.
- -p policytarget: Specifies the target policy module to use.
- -c class: Specifies the SELinux class of the target.
- -a perm: Specifies the SELinux permission to check.
- -t type: Specifies the SELinux type of the target.
Examples
Simple Check:
avc_netlink_check_nb 192.168.1.10 80 192.168.1.20 443 tcp
This command checks if an outgoing TCP connection from 192.168.1.10:80 to 192.168.1.20:443 is allowed.
Conditional Check:
avc_netlink_check_nb -c system -a connect -t httpd_t 192.168.1.10 80
This command checks if the httpd_t type has the connect permission to IP 192.168.1.10 on port 80.
Common Issues
- Permission Denied Errors: Ensure the target type has the required permission for the specified class.
- Invalid Input Format: Verify that the IP addresses, ports, and protocol are entered correctly.
Integration
Combining with ‘netstat’:
netstat -ap | grep 192.168.1.10 | awk '{print $4}' | sed 's/:.*//' | xargs -I % avc_netlink_check_nb 192.168.1.10 % 192.168.1.20 443 tcp
This command checks the SELinux policy for all outgoing TCP connections from 192.168.1.10 to 192.168.1.20:443.
Related Commands
- avc_check_nb: Checks permissions using Netlink without connecting.
- avc_check: Checks permissions using policy modules.
- chcon: Changes the SELinux context of a file or directory.