Home | History | Annotate | Download | only in docs
      1 Network Labeling Statements
      2 ===========================
      3 
      4 ipaddr
      5 ------
      6 
      7 Declares a named IP address in IPv4 or IPv6 format that may be referenced by other CIL statements (i.e. [`netifcon`](cil_network_labeling_statements.md#netifcon)).
      8 
      9 Notes:
     10 
     11 -   CIL statements utilising an IP address may reference a named IP address or use an anonymous address, the examples will show each option.
     12 
     13 -   IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`.
     14 
     15 **Statement definition:**
     16 
     17     (ipaddr ipaddr_id ip_address)
     18 
     19 **Where:**
     20 
     21 <table>
     22 <colgroup>
     23 <col width="25%" />
     24 <col width="75%" />
     25 </colgroup>
     26 <tbody>
     27 <tr class="odd">
     28 <td align="left"><p><code>ipaddr</code></p></td>
     29 <td align="left"><p>The <code>ipaddr</code> keyword.</p></td>
     30 </tr>
     31 <tr class="even">
     32 <td align="left"><p><code>ipaddr_id</code></p></td>
     33 <td align="left"><p>The IP address identifier.</p></td>
     34 </tr>
     35 <tr class="odd">
     36 <td align="left"><p><code>ip_address</code></p></td>
     37 <td align="left"><p>A correctly formatted IP address in IPv4 or IPv6 format.</p></td>
     38 </tr>
     39 </tbody>
     40 </table>
     41 
     42 **Example:**
     43 
     44 This example declares a named IP address and also passes an 'explicit anonymously declared' IP address to a macro:
     45 
     46     (ipaddr netmask_1 255.255.255.0)
     47     (context netlabel_1 (system.user object_r unconfined.object low_low)
     48 
     49     (call build_nodecon ((192.168.1.64) netmask_1))
     50 
     51     (macro build_nodecon ((ipaddr ARG1) (ipaddr ARG2))
     52         (nodecon ARG1 ARG2  netlabel_1))
     53 
     54 netifcon
     55 --------
     56 
     57 Label network interface objects (e.g. `eth0`).
     58 
     59 **Statement definition:**
     60 
     61     (netifcon netif_name netif_context_id packet_context_id)
     62 
     63 **Where:**
     64 
     65 <table>
     66 <colgroup>
     67 <col width="25%" />
     68 <col width="75%" />
     69 </colgroup>
     70 <tbody>
     71 <tr class="odd">
     72 <td align="left"><p><code>netifcon</code></p></td>
     73 <td align="left"><p>The <code>netifcon</code> keyword.</p></td>
     74 </tr>
     75 <tr class="even">
     76 <td align="left"><p><code>netif_name</code></p></td>
     77 <td align="left"><p>The network interface name (e.g. <code>wlan0</code>).</p></td>
     78 </tr>
     79 <tr class="odd">
     80 <td align="left"><p><code>netif_context_id</code></p></td>
     81 <td align="left"><p>The security context to be allocated to the network interface.</p>
     82 <p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
     83 </tr>
     84 <tr class="even">
     85 <td align="left"><p><code>packet_context_id</code></p></td>
     86 <td align="left"><p>The security context to be allocated to packets. Note that these are defined but currently unused as the <strong><code>iptables</code></strong><code>(8)</code> SECMARK services should be used to label packets.</p>
     87 <p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
     88 </tr>
     89 </tbody>
     90 </table>
     91 
     92 **Examples:**
     93 
     94 These examples show named and anonymous [`netifcon`](cil_network_labeling_statements.md#netifcon) statements:
     95 
     96     (context context_1 (unconfined.user object_r unconfined.object low_low))
     97     (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2)))
     98 
     99     (netifcon eth0 context_1 (unconfined.user object_r unconfined.object levelrange_1))
    100     (netifcon eth1 context_1 (unconfined.user object_r unconfined.object ((s0) level_1)))
    101     (netifcon eth3 context_1 context_2)
    102 
    103 nodecon
    104 -------
    105 
    106 Label network address objects that represent IPv4 or IPv6 IP addresses and network masks.
    107 
    108 IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`.
    109 
    110 **Statement definition:**
    111 
    112     (nodecon subnet_id netmask_id context_id)
    113 
    114 **Where:**
    115 
    116 <table>
    117 <colgroup>
    118 <col width="25%" />
    119 <col width="75%" />
    120 </colgroup>
    121 <tbody>
    122 <tr class="odd">
    123 <td align="left"><p><code>nodecon</code></p></td>
    124 <td align="left"><p>The <code>nodecon</code> keyword.</p></td>
    125 </tr>
    126 <tr class="even">
    127 <td align="left"><p><code>subnet_id</code></p></td>
    128 <td align="left"><p>A previously declared <code>ipaddr</code> identifier, or an anonymous IPv4 or IPv6 formatted address.</p></td>
    129 </tr>
    130 <tr class="odd">
    131 <td align="left"><p><code>netmask_id</code></p></td>
    132 <td align="left"><p>A previously declared <code>ipaddr</code> identifier, or an anonymous IPv4 or IPv6 formatted address.</p></td>
    133 </tr>
    134 <tr class="even">
    135 <td align="left"><p><code>context_id</code></p></td>
    136 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
    137 </tr>
    138 </tbody>
    139 </table>
    140 
    141 **Examples:**
    142 
    143 These examples show named and anonymous [`nodecon`](cil_network_labeling_statements.md#nodecon) statements:
    144 
    145     (context context_1 (unconfined.user object_r unconfined.object low_low))
    146     (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2)))
    147 
    148     (ipaddr netmask_1 255.255.255.0)
    149     (ipaddr ipv4_1 192.168.1.64)
    150 
    151     (nodecon netmask_1 ipv4_1 context_2)
    152     (nodecon (255.255.255.0) (192.168.1.64) context_1)
    153     (nodecon netmask_1 (192.168.1.64) (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))
    154 
    155 portcon
    156 -------
    157 
    158 Label a udp or tcp port.
    159 
    160 **Statement definition:**
    161 
    162     (portcon protocol port|(port_low port_high) context_id)
    163 
    164 **Where:**
    165 
    166 <table>
    167 <colgroup>
    168 <col width="25%" />
    169 <col width="75%" />
    170 </colgroup>
    171 <tbody>
    172 <tr class="odd">
    173 <td align="left"><p><code>portcon</code></p></td>
    174 <td align="left"><p>The <code>portcon</code> keyword.</p></td>
    175 </tr>
    176 <tr class="even">
    177 <td align="left"><p><code>protocol</code></p></td>
    178 <td align="left"><p>The protocol keyword <code>tcp</code> or <code>udp</code>.</p></td>
    179 </tr>
    180 <tr class="odd">
    181 <td align="left"><p><code>port |</code></p>
    182 <p><code>(port_low port_high)</code></p></td>
    183 <td align="left"><p>A single port to apply the context, or a range of ports.</p>
    184 <p>The entries must consist of numerics <code>[0-9]</code>.</p></td>
    185 </tr>
    186 <tr class="even">
    187 <td align="left"><p><code>context_id</code></p></td>
    188 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
    189 </tr>
    190 </tbody>
    191 </table>
    192 
    193 **Examples:**
    194 
    195 These examples show named and anonymous [`portcon`](cil_network_labeling_statements.md#portcon) statements:
    196 
    197     (portcon tcp 1111 (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))
    198     (portcon tcp 2222 (unconfined.user object_r unconfined.object levelrange_2))
    199     (portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
    200     (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
    201     (portcon tcp (2000 20000) (unconfined.user object_r unconfined.object (systemlow level_3)))
    202