netlabelctl(8) NetLabel Documentation netlabelctl(8)NAMEnetlabelctl - NetLabel management utility
SYNOPSISnetlabelctl [<global flags>] <module> [<module commands>]
DESCRIPTION
The NetLabel management utility, netlabelctl, is a command line program
designed to allow system administrators to configure the NetLabel sys‐
tem in the kernel. The utility is based around different "modules"
which correspond to the different types of NetLabel commands supported
by the kernel.
OPTIONS
Global Flags
-h Help message
-p Attempt to make the output human readable or "pretty"
-t <seconds>
Set a timeout to be used when waiting for the NetLabel subsystem
to respond
-v Enable extra output
-V Display the version information
Modules and Commands
mgmt
The management module is used to perform general queries about the Net‐
Label subsystem within the kernel. The different commands and their
syntax are listed below.
version
Display the kernel's NetLabel management protocol version.
protocols
Display the kernel's list of supported labeling protocols.
map
The domain mapping module is used to map different NetLabel labeling
protocols to either individual LSM domains or the default domain map‐
ping. It is up to each LSM to determine what defines a domain. With
SELinux, the normal SELinux domain should be used, i.e. "ping_t". In
addition to protocol selection based only on the LSM domain, it is also
possible to select the labeling protocol based on both the LSM domain
and destination address. The network address selectors can specify
either single hosts or entire networks and work for both IPv4 and IPv6,
although the labeling protocol chosen must support the IP version cho‐
sen. When specifying the labeling protocol to use for each mapping
there is an optional "extra" field which is used to further identify
the specific labeling protocol configuration. When specifying the
unlabeled protocol, "unlbl", there is no extra identification needed.
When specifying the CIPSO/IPv4 protocol, "cipsov4", the DOI value
should be specified; see the EXAMPLES section for details. The differ‐
ent commands and their syntax are listed below.
add default|domain:<domain> [address:<ADDR>[/<MASK>]] protocol:<proto‐
col>[,<extra>]
Add a new LSM domain / network address to NetLabel protocol map‐
ping.
del default|domain:<domain>
Delete an existing LSM domain to NetLabel protocol mapping.
list
Display all of the configured LSM domain to NetLabel protocol
mappings.
unlbl
The unlabeled (unlbl) module controls the unlabeled protocol which is
used both when labeling outgoing traffic is not desired as well as when
unlabeled traffic is received by the system. This module allows admin‐
istrators to block all unlabeled packets from the system through the
"accept" flag and assign static, or fallback, security labels to unla‐
beled traffic based on the inbound network interface and source
address.
accept on|off
Toggle the unlabeled traffic accept flag.
add default|interface:<dev> address:<addr>[/<mask>] label:<label>
Add a new static/fallback entry.
del default|interface:<dev> address:<addr>[/<mask>]
Delete an existing static/fallback entry.
list
Display the status of the unlabeled accept flag.
cipsov4
The CIPSO/IPv4 (cipsov4) module controls the CIPSO/IPv4 labeling engine
in the kernel. The CIPSO/IPv4 engine provided by NetLabel supports
multiple Domains Of Interpretation (DOI) and the CIPSO/IPv4 module
allows for different configurations for each DOI. At present there are
three types of configurations, the "trans" configuration which allows
on-the-fly translation of MLS sensitivity labels, the "pass" configura‐
tion which does not perform any translation of the MLS sensitivity
label and the "local" configuration which conveys the full LSM security
label over localhost/loopback connections. Regardless of which config‐
uration type is chosen a DOI value must be specified and if the "trans"
or "pass" configurations are specified then a list of the CIPSO/IPv4
tag types to use when generating the CIPSO/IPv4 packet labels must also
be specified. The list of CIPSO/IPv4 tags is ordered such that when
possible the first tag type listed is used when a CIPSO/IPv4 label is
generated. However, if it is not possible to use the first tag type
then each tag type is checked, in order, until a suitable tag type is
found. If a valid tag type can not be found then the operation causing
the CIPSO/IPv4 label will fail, typically this occurs whenever a new
socket is created. The different commands and their syntax are listed
below.
add trans doi:<DOI> tags:<T1>,<Tn> levels:<LL1>=<RL1>,<LLn>=<RLn> cate‐
gories:<LC1>=<RC1>,<LCn>=<RCn>
Add a new CIPSO/IPv4 configuration using the standard/translated
mapping with the given level and category translations. The
levels are translated in such a way that the local level "LLn"
is translated to the remote, on-the-wire level of "RLn"; the
reverse translation is done for incoming packets. The same
translation is done for the categories using "LCn" and "RCn".
In order for a packet to be accepted, or a socket created by an
application, there must be a translation for the sensitivity
level and all the categories present in the MLS sensitivity
label; if the entire requested sensitivity label can not be
translated the application will fail.
add pass doi:<DOI> tags:<T1>,<Tn>
Add a new CIPSO/IPv4 configuration without any level or category
translations.
add local doi:<DOI>
Add a new CIPSO/IPv4 configuration for localhost/loopback con‐
nections.
del doi:<DOI>
Delete an existing CIPSO/IPv4 configuration with the given DOI
value. If any LSM domain mappings are present which make use of
this DOI they will also be deleted.
list [doi:<DOI>]
Display a list of all the CIPSO/IPv4 configurations or just the
configuration matching the optionally specified DOI.
EXAMPLESnetlabelctl cipsov4 add pass doi:16 tags:1
Add a CIPSO/IPv4 configuration with a DOI value of "16", using
CIPSO tag "1" (the permissive bitmap tag). The CIPSO and LSM lev‐
els/categories are passed through the NetLabel subsystem without
any translation.
netlabelctl cipsov4 add trans doi:8 tags:1 levels:0=0,1=1 cate‐
gories:0=1,1=0
Add a CIPSO/IPv4 configuration with a DOI value of "8", using
CIPSO tag "1" (the permissive bitmap tag). The specified mapping
converts local LSM levels "0" and "1" to CIPSO levels "0" and "1"
respectively while local LSM categories "0" and "1" are mapped to
CIPSO categories "1" and "0" respectively.
netlabelctl-p cipsov4 list
Display all of the CIPSO/IPv4 configurations in a human readable
format.
netlabelctl-p cipsov4 list doi:16
Display specific information about the CIPSO/IPv4 DOI 16 configu‐
ration.
netlabelctl cipsov4 del doi:8
Delete the CIPSO/IPv4 configuration assigned to DOI 8. In addi‐
tion to removing the CIPSO/IPv4 configuration any domain mappings
using this configuration will also be removed.
netlabelctl map add domain:lsm_domain protocol:cipsov4,8
Add a domain mapping so that all outgoing packets sent from the
"lsm_domain" will be labeled according to the CIPSO/IPv4 protocol
using DOI 8.
netlabelctl map add domain:lsm_domain address:192.168.1.0/24 proto‐
col:cipsov4,8
Add a mapping so that all outgoing packets sent from the
"lsm_domain" to the 192.168.1.0/24 network will be labeled accord‐
ing to the CIPSO/IPv4 protocol using DOI 8.
netlabelctl-p map list
Display all of the domain mappings in a human readable format.
netlabelctl del domain:lsm_domain
Delete the domain mapping for the "lsm_domain", packets sent from
the "lsm_domain" will fallback to the default NetLabel mapping.
netlabelctl unlbl add interface:lo address:::1 label:foo
Add a static/fallback label to assign the "foo" security label to
unlabeled packets entering the system over the "lo" (loopback)
interface with an IPv6 source address of "::1" (localhost).
netlabelctl unlbl add default address:192.168.0.0/16 label:bar
Add a static/fallback label to assign the "bar" security label to
unlabeled packets entering the system over any interface with an
IPv4 source address in the 192.168.0.0/16 network.
NOTES
The NetLabel subsystem is supported on Linux Kernels version 2.6.19 and
later. The static, or fallback, labels are only supported on Linux
Kernels version 2.6.25 and later. The domain mapping address selectors
are only supported on Linux Kernels 2.6.28 and later.
The NetLabel project site, with more information including the source
code respository, can be found at http://netlabel.sf.net. This program
is currently under development, please report any bugs at the project
site or directly to the author.
AUTHOR
Paul Moore <paul.moore@hp.com>
SEE ALSO
<other pages to be created at a future date>
paul.moore@hp.com 18 December 2008 netlabelctl(8)