avc_netlink_check_nb - Linux


avc_netlink_check_nb is a command-line tool used in SELinux (Security-Enhanced Linux) to verify if a specified network connection is allowed under the current SELinux security policy.


avc_netlink_check_nb [options] <src ip> <src port> <dst ip> <dst port> <proto>


  • -P policysrc: Specifies the source policy module to use.
  • -p policytarget: Specifies the target policy module to use.
  • -c class: Specifies the SELinux class of the target.
  • -a perm: Specifies the SELinux permission to check.
  • -t type: Specifies the SELinux type of the target.


Simple Check:

avc_netlink_check_nb 80 443 tcp

This command checks if an outgoing TCP connection from to is allowed.

Conditional Check:

avc_netlink_check_nb -c system -a connect -t httpd_t 80

This command checks if the httpd_t type has the connect permission to IP on port 80.

Common Issues

  • Permission Denied Errors: Ensure the target type has the required permission for the specified class.
  • Invalid Input Format: Verify that the IP addresses, ports, and protocol are entered correctly.


Combining with ‘netstat’:

netstat -ap | grep | awk '{print $4}' | sed 's/:.*//' | xargs -I % avc_netlink_check_nb % 443 tcp

This command checks the SELinux policy for all outgoing TCP connections from to

Related Commands

  • avc_check_nb: Checks permissions using Netlink without connecting.
  • avc_check: Checks permissions using policy modules.
  • chcon: Changes the SELinux context of a file or directory.