1netlabelctl(8) NetLabel Documentation netlabelctl(8)
2
6 netlabelctl - NetLabel management utility
7
9 netlabelctl [<global flags>] <module> [<module commands>]
10
12 The NetLabel management utility, netlabelctl, is a command line program
13 designed to allow system administrators to configure the NetLabel sys‐
14 tem in the kernel. The utility is based around different "modules"
15 which correspond to the different types of NetLabel commands supported
16 by the kernel.
17
19 Global Flags
20 -h Help message
21 -p Attempt to make the output human readable or "pretty"
23 -t <seconds>
25 Set a timeout to be used when waiting for the NetLabel subsystem
26 to respond
27 -v Enable extra output
29 -V Display the version information
31 Modules and Commands
33 mgmt
34 The management module is used to perform general queries about the Net‐
36 Label subsystem within the kernel. The different commands and their
37 syntax are listed below.
38 version
40 Display the kernel's NetLabel management protocol version.
41 protocols
43 Display the kernel's list of supported labeling protocols.
44 map
46 The domain mapping module is used to map different NetLabel labeling
48 protocols to either individual LSM domains or the default domain map‐
49 ping. It is up to each LSM to determine what defines a domain. With
50 SELinux, the normal SELinux domain should be used, i.e. "ping_t". In
51 addition to protocol selection based only on the LSM domain, it is also
52 possible to select the labeling protocol based on both the LSM domain
53 and destination address. The network address selectors can specify
54 either single hosts or entire networks and work for both IPv4 and IPv6,
55 although the labeling protocol chosen must support the IP version cho‐
56 sen. When specifying the labeling protocol to use for each mapping
57 there is an optional "extra" field which is used to further identify
58 the specific labeling protocol configuration. When specifying the
59 unlabeled protocol, "unlbl", there is no extra identification needed.
60 When specifying the CIPSO/IPv4 protocol, "cipsov4", the DOI value
61 should be specified; see the EXAMPLES section for details. The differ‐
62 ent commands and their syntax are listed below.
63 add default|domain:<domain> [address:<ADDR>[/<MASK>]] protocol:<proto‐
65 col>[,<extra>]
66 Add a new LSM domain / network address to NetLabel protocol map‐
67 ping.
68 del default|domain:<domain>
70 Delete an existing LSM domain to NetLabel protocol mapping.
71 list
73 Display all of the configured LSM domain to NetLabel protocol
74 mappings.
75 unlbl
77 The unlabeled (unlbl) module controls the unlabeled protocol which is
79 used both when labeling outgoing traffic is not desired as well as when
80 unlabeled traffic is received by the system. This module allows admin‐
81 istrators to block all unlabeled packets from the system through the
82 "accept" flag and assign static, or fallback, security labels to unla‐
83 beled traffic based on the inbound network interface and source
84 address.
85 accept on|off
87 Toggle the unlabeled traffic accept flag.
88 add default|interface:<dev> address:<addr>[/<mask>] label:<label>
90 Add a new static/fallback entry.
91 del default|interface:<dev> address:<addr>[/<mask>]
93 Delete an existing static/fallback entry.
94 list
96 Display the status of the unlabeled accept flag.
97 cipsov4
99 The CIPSO/IPv4 (cipsov4) module controls the CIPSO/IPv4 labeling engine
101 in the kernel. The CIPSO/IPv4 engine provided by NetLabel supports
102 multiple Domains Of Interpretation (DOI) and the CIPSO/IPv4 module
103 allows for different configurations for each DOI. At present there are
104 three types of configurations, the "trans" configuration which allows
105 on-the-fly translation of MLS sensitivity labels, the "pass" configura‐
106 tion which does not perform any translation of the MLS sensitivity
107 label and the "local" configuration which conveys the full LSM security
108 label over localhost/loopback connections. Regardless of which config‐
109 uration type is chosen a DOI value must be specified and if the "trans"
110 or "pass" configurations are specified then a list of the CIPSO/IPv4
111 tag types to use when generating the CIPSO/IPv4 packet labels must also
112 be specified. The list of CIPSO/IPv4 tags is ordered such that when
113 possible the first tag type listed is used when a CIPSO/IPv4 label is
114 generated. However, if it is not possible to use the first tag type
115 then each tag type is checked, in order, until a suitable tag type is
116 found. If a valid tag type can not be found then the operation causing
117 the CIPSO/IPv4 label will fail, typically this occurs whenever a new
118 socket is created. The different commands and their syntax are listed
119 below.
120 add trans doi:<DOI> tags:<T1>,<Tn> levels:<LL1>=<RL1>,<LLn>=<RLn> cate‐
122 gories:<LC1>=<RC1>,<LCn>=<RCn>
123 Add a new CIPSO/IPv4 configuration using the standard/translated
124 mapping with the given level and category translations. The
125 levels are translated in such a way that the local level "LLn"
126 is translated to the remote, on-the-wire level of "RLn"; the
127 reverse translation is done for incoming packets. The same
128 translation is done for the categories using "LCn" and "RCn".
129 In order for a packet to be accepted, or a socket created by an
130 application, there must be a translation for the sensitivity
131 level and all the categories present in the MLS sensitivity
132 label; if the entire requested sensitivity label can not be
133 translated the application will fail.
134 add pass doi:<DOI> tags:<T1>,<Tn>
136 Add a new CIPSO/IPv4 configuration without any level or category
137 translations.
138 add local doi:<DOI>
140 Add a new CIPSO/IPv4 configuration for localhost/loopback con‐
141 nections.
142 del doi:<DOI>
144 Delete an existing CIPSO/IPv4 configuration with the given DOI
145 value. If any LSM domain mappings are present which make use of
146 this DOI they will also be deleted.
147 list [doi:<DOI>]
149 Display a list of all the CIPSO/IPv4 configurations or just the
150 configuration matching the optionally specified DOI.
151
153 netlabelctl cipsov4 add pass doi:16 tags:1
154 Add a CIPSO/IPv4 configuration with a DOI value of "16", using
155 CIPSO tag "1" (the permissive bitmap tag). The CIPSO and LSM lev‐
156 els/categories are passed through the NetLabel subsystem without
157 any translation.
158 netlabelctl cipsov4 add trans doi:8 tags:1 levels:0=0,1=1 cate‐
160 gories:0=1,1=0
161 Add a CIPSO/IPv4 configuration with a DOI value of "8", using
162 CIPSO tag "1" (the permissive bitmap tag). The specified mapping
163 converts local LSM levels "0" and "1" to CIPSO levels "0" and "1"
164 respectively while local LSM categories "0" and "1" are mapped to
165 CIPSO categories "1" and "0" respectively.
166 netlabelctl -p cipsov4 list
168 Display all of the CIPSO/IPv4 configurations in a human readable
169 format.
170 netlabelctl -p cipsov4 list doi:16
172 Display specific information about the CIPSO/IPv4 DOI 16 configu‐
173 ration.
174 netlabelctl cipsov4 del doi:8
176 Delete the CIPSO/IPv4 configuration assigned to DOI 8. In addi‐
177 tion to removing the CIPSO/IPv4 configuration any domain mappings
178 using this configuration will also be removed.
179 netlabelctl map add domain:lsm_domain protocol:cipsov4,8
181 Add a domain mapping so that all outgoing packets sent from the
182 "lsm_domain" will be labeled according to the CIPSO/IPv4 protocol
183 using DOI 8.
184 netlabelctl map add domain:lsm_domain address:192.168.1.0/24 proto‐
186 col:cipsov4,8
187 Add a mapping so that all outgoing packets sent from the
188 "lsm_domain" to the 192.168.1.0/24 network will be labeled accord‐
189 ing to the CIPSO/IPv4 protocol using DOI 8.
190 netlabelctl -p map list
192 Display all of the domain mappings in a human readable format.
193 netlabelctl del domain:lsm_domain
195 Delete the domain mapping for the "lsm_domain", packets sent from
196 the "lsm_domain" will fallback to the default NetLabel mapping.
197 netlabelctl unlbl add interface:lo address:::1 label:foo
199 Add a static/fallback label to assign the "foo" security label to
200 unlabeled packets entering the system over the "lo" (loopback)
201 interface with an IPv6 source address of "::1" (localhost).
202 netlabelctl unlbl add default address:192.168.0.0/16 label:bar
204 Add a static/fallback label to assign the "bar" security label to
205 unlabeled packets entering the system over any interface with an
206 IPv4 source address in the 192.168.0.0/16 network.
207
209 The NetLabel subsystem is supported on Linux Kernels version 2.6.19 and
210 later. The static, or fallback, labels are only supported on Linux
211 Kernels version 2.6.25 and later. The domain mapping address selectors
212 are only supported on Linux Kernels 2.6.28 and later.
213 The NetLabel project site, with more information including the source
215 code respository, can be found at http://netlabel.sf.net. This program
216 is currently under development, please report any bugs at the project
217 site or directly to the author.
218
220 Paul Moore <paul.moore@hp.com>
221
223 <other pages to be created at a future date>
224paul.moore@hp.com 18 December 2008 netlabelctl(8)