1 Network Labeling Statements 2 =========================== 3 4 ipaddr 5 ------ 6 7 Declares a named IP address in IPv4 or IPv6 format that may be referenced by other CIL statements (i.e. [`netifcon`](cil_network_labeling_statements.md#netifcon)). 8 9 Notes: 10 11 - CIL statements utilising an IP address may reference a named IP address or use an anonymous address, the examples will show each option. 12 13 - IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`. 14 15 **Statement definition:** 16 17 (ipaddr ipaddr_id ip_address) 18 19 **Where:** 20 21 <table> 22 <colgroup> 23 <col width="25%" /> 24 <col width="75%" /> 25 </colgroup> 26 <tbody> 27 <tr class="odd"> 28 <td align="left"><p><code>ipaddr</code></p></td> 29 <td align="left"><p>The <code>ipaddr</code> keyword.</p></td> 30 </tr> 31 <tr class="even"> 32 <td align="left"><p><code>ipaddr_id</code></p></td> 33 <td align="left"><p>The IP address identifier.</p></td> 34 </tr> 35 <tr class="odd"> 36 <td align="left"><p><code>ip_address</code></p></td> 37 <td align="left"><p>A correctly formatted IP address in IPv4 or IPv6 format.</p></td> 38 </tr> 39 </tbody> 40 </table> 41 42 **Example:** 43 44 This example declares a named IP address and also passes an 'explicit anonymously declared' IP address to a macro: 45 46 (ipaddr netmask_1 255.255.255.0) 47 (context netlabel_1 (system.user object_r unconfined.object low_low) 48 49 (call build_nodecon ((192.168.1.64) netmask_1)) 50 51 (macro build_nodecon ((ipaddr ARG1) (ipaddr ARG2)) 52 (nodecon ARG1 ARG2 netlabel_1)) 53 54 netifcon 55 -------- 56 57 Label network interface objects (e.g. `eth0`). 58 59 **Statement definition:** 60 61 (netifcon netif_name netif_context_id packet_context_id) 62 63 **Where:** 64 65 <table> 66 <colgroup> 67 <col width="25%" /> 68 <col width="75%" /> 69 </colgroup> 70 <tbody> 71 <tr class="odd"> 72 <td align="left"><p><code>netifcon</code></p></td> 73 <td align="left"><p>The <code>netifcon</code> keyword.</p></td> 74 </tr> 75 <tr class="even"> 76 <td align="left"><p><code>netif_name</code></p></td> 77 <td align="left"><p>The network interface name (e.g. <code>wlan0</code>).</p></td> 78 </tr> 79 <tr class="odd"> 80 <td align="left"><p><code>netif_context_id</code></p></td> 81 <td align="left"><p>The security context to be allocated to the network interface.</p> 82 <p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 83 </tr> 84 <tr class="even"> 85 <td align="left"><p><code>packet_context_id</code></p></td> 86 <td align="left"><p>The security context to be allocated to packets. Note that these are defined but currently unused as the <strong><code>iptables</code></strong><code>(8)</code> SECMARK services should be used to label packets.</p> 87 <p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 88 </tr> 89 </tbody> 90 </table> 91 92 **Examples:** 93 94 These examples show named and anonymous [`netifcon`](cil_network_labeling_statements.md#netifcon) statements: 95 96 (context context_1 (unconfined.user object_r unconfined.object low_low)) 97 (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2))) 98 99 (netifcon eth0 context_1 (unconfined.user object_r unconfined.object levelrange_1)) 100 (netifcon eth1 context_1 (unconfined.user object_r unconfined.object ((s0) level_1))) 101 (netifcon eth3 context_1 context_2) 102 103 nodecon 104 ------- 105 106 Label network address objects that represent IPv4 or IPv6 IP addresses and network masks. 107 108 IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`. 109 110 **Statement definition:** 111 112 (nodecon subnet_id netmask_id context_id) 113 114 **Where:** 115 116 <table> 117 <colgroup> 118 <col width="25%" /> 119 <col width="75%" /> 120 </colgroup> 121 <tbody> 122 <tr class="odd"> 123 <td align="left"><p><code>nodecon</code></p></td> 124 <td align="left"><p>The <code>nodecon</code> keyword.</p></td> 125 </tr> 126 <tr class="even"> 127 <td align="left"><p><code>subnet_id</code></p></td> 128 <td align="left"><p>A previously declared <code>ipaddr</code> identifier, or an anonymous IPv4 or IPv6 formatted address.</p></td> 129 </tr> 130 <tr class="odd"> 131 <td align="left"><p><code>netmask_id</code></p></td> 132 <td align="left"><p>A previously declared <code>ipaddr</code> identifier, or an anonymous IPv4 or IPv6 formatted address.</p></td> 133 </tr> 134 <tr class="even"> 135 <td align="left"><p><code>context_id</code></p></td> 136 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 137 </tr> 138 </tbody> 139 </table> 140 141 **Examples:** 142 143 These examples show named and anonymous [`nodecon`](cil_network_labeling_statements.md#nodecon) statements: 144 145 (context context_1 (unconfined.user object_r unconfined.object low_low)) 146 (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2))) 147 148 (ipaddr netmask_1 255.255.255.0) 149 (ipaddr ipv4_1 192.168.1.64) 150 151 (nodecon netmask_1 ipv4_1 context_2) 152 (nodecon (255.255.255.0) (192.168.1.64) context_1) 153 (nodecon netmask_1 (192.168.1.64) (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) 154 155 portcon 156 ------- 157 158 Label a udp, tcp, dccp or sctp port. 159 160 **Statement definition:** 161 162 (portcon protocol port|(port_low port_high) context_id) 163 164 **Where:** 165 166 <table> 167 <colgroup> 168 <col width="25%" /> 169 <col width="75%" /> 170 </colgroup> 171 <tbody> 172 <tr class="odd"> 173 <td align="left"><p><code>portcon</code></p></td> 174 <td align="left"><p>The <code>portcon</code> keyword.</p></td> 175 </tr> 176 <tr class="even"> 177 <td align="left"><p><code>protocol</code></p></td> 178 <td align="left"><p>The protocol keyword <code>tcp</code>, <code>udp</code>, <code>dccp</code> or <code>sctp</code>.</p></td> 179 </tr> 180 <tr class="odd"> 181 <td align="left"><p><code>port |</code></p> 182 <p><code>(port_low port_high)</code></p></td> 183 <td align="left"><p>A single port to apply the context, or a range of ports.</p> 184 <p>The entries must consist of numerics <code>[0-9]</code>.</p></td> 185 </tr> 186 <tr class="even"> 187 <td align="left"><p><code>context_id</code></p></td> 188 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 189 </tr> 190 </tbody> 191 </table> 192 193 **Examples:** 194 195 These examples show named and anonymous [`portcon`](cil_network_labeling_statements.md#portcon) statements: 196 197 (portcon tcp 1111 (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) 198 (portcon tcp 2222 (unconfined.user object_r unconfined.object levelrange_2)) 199 (portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1)) 200 (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2))) 201 (portcon tcp (2000 20000) (unconfined.user object_r unconfined.object (systemlow level_3))) 202 (portcon dccp (6840 6880) (unconfined.user object_r unconfined.object ((s0) level_2))) 203 (portcon sctp (1024 1035) (unconfined.user object_r unconfined.object ((s0) level_2))) 204
