avc_netlink_check_nb - Linux

Overview

avc_netlink_check_nb is a command-line tool used in SELinux (Security-Enhanced Linux) to verify if a specified network connection is allowed under the current SELinux security policy.

Syntax

avc_netlink_check_nb [options] <src ip> <src port> <dst ip> <dst port> <proto>

Options/Flags

• -P policysrc: Specifies the source policy module to use.
• -p policytarget: Specifies the target policy module to use.
• -c class: Specifies the SELinux class of the target.
• -a perm: Specifies the SELinux permission to check.
• -t type: Specifies the SELinux type of the target.

Examples

Simple Check:

avc_netlink_check_nb 192.168.1.10 80 192.168.1.20 443 tcp

This command checks if an outgoing TCP connection from 192.168.1.10:80 to 192.168.1.20:443 is allowed.

Conditional Check:

avc_netlink_check_nb -c system -a connect -t httpd_t 192.168.1.10 80

This command checks if the httpd_t type has the connect permission to IP 192.168.1.10 on port 80.

Common Issues

• Permission Denied Errors: Ensure the target type has the required permission for the specified class.
• Invalid Input Format: Verify that the IP addresses, ports, and protocol are entered correctly.

Integration

Combining with ‘netstat’:

netstat -ap | grep 192.168.1.10 | awk '{print $4}' | sed 's/:.*//' | xargs -I % avc_netlink_check_nb 192.168.1.10 % 192.168.1.20 443 tcp

This command checks the SELinux policy for all outgoing TCP connections from 192.168.1.10 to 192.168.1.20:443.

Related Commands

• avc_check_nb: Checks permissions using Netlink without connecting.
• avc_check: Checks permissions using policy modules.
• chcon: Changes the SELinux context of a file or directory.