1netlabelctl(8) NetLabel Documentation netlabelctl(8)
2
6 netlabelctl - NetLabel management utility
7
9 netlabelctl [<global_flags>] <module> [<module_commands>]
10
12 The NetLabel management utility, netlabelctl, is a command line program
13 designed to allow system administrators to configure the NetLabel sys‐
14 tem in the kernel. The utility is based around different "modules"
15 which correspond to the different types of NetLabel commands supported
16 by the kernel.
17
19 Global Flags
20 -h Help message
21 -p Attempt to make the output human readable or "pretty"
23 -t <seconds>
25 Set a timeout to be used when waiting for the NetLabel subsystem
26 to respond
27 -v Enable extra output
29 -V Display the version information
31 Modules and Commands
33 mgmt
34 The management module is used to perform general queries about the Net‐
36 Label subsystem within the kernel. The different commands and their
37 syntax are listed below.
38 version
40 Display the kernel's NetLabel management protocol version.
41 protocols
43 Display the kernel's list of supported labeling protocols.
44 map
46 The domain mapping module is used to map different NetLabel labeling
48 protocols to either individual LSM domains or the default domain map‐
49 ping. It is up to each LSM to determine what defines a domain. With
50 SELinux, the normal SELinux domain should be used, i.e. "ping_t". In
51 addition to protocol selection based only on the LSM domain, it is also
52 possible to select the labeling protocol based on both the LSM domain
53 and destination address. The network address selectors can specify
54 either single hosts or entire networks and work for both IPv4 and IPv6,
55 although the labeling protocol chosen must support the IP version cho‐
56 sen. When specifying the labeling protocol to use for each mapping
57 there is an optional "extra" field which is used to further identify
58 the specific labeling protocol configuration. When specifying the
59 unlabeled protocol, "unlbl", there is no extra identification needed.
60 When specifying the CIPSO/IPv4 protocol, "cipsov4", the DOI value
61 should be specified; see the EXAMPLES section for details. The differ‐
62 ent commands and their syntax are listed below.
63 add default|domain:<domain> [address:<ADDR>[/<MASK>]] protocol:<proto‐
65 col>[,<extra>]
66 Add a new LSM domain / network address to NetLabel protocol map‐
67 ping.
68 del default|domain:<domain>
70 Delete an existing LSM domain to NetLabel protocol mapping.
71 list
73 Display all of the configured LSM domain to NetLabel protocol
74 mappings.
75 unlbl
77 The unlabeled (unlbl) module controls the unlabeled protocol which is
79 used both when labeling outgoing traffic is not desired as well as when
80 unlabeled traffic is received by the system. This module allows admin‐
81 istrators to block all unlabeled packets from the system through the
82 "accept" flag and assign static, or fallback, security labels to unla‐
83 beled traffic based on the inbound network interface and source
84 address.
85 accept on|off
87 Toggle the unlabeled traffic accept flag.
88 add default|interface:<dev> address:<addr>[/<mask>] label:<label>
90 Add a new static/fallback entry.
91 del default|interface:<dev> address:<addr>[/<mask>]
93 Delete an existing static/fallback entry.
94 list
96 Display the status of the unlabeled accept flag.
97 cipsov4
99 The CIPSO/IPv4 (cipsov4) module controls the CIPSO/IPv4 labeling engine
101 in the kernel. The CIPSO/IPv4 engine provided by NetLabel supports
102 multiple Domains Of Interpretation (DOI) and the CIPSO/IPv4 module
103 allows for different configurations for each DOI. At present there are
104 three types of configurations, the "trans" configuration which allows
105 on-the-fly translation of MLS sensitivity labels, the "pass" configura‐
106 tion which does not perform any translation of the MLS sensitivity
107 label and the "local" configuration which conveys the full LSM security
108 label over localhost/loopback connections. Regardless of which config‐
109 uration type is chosen a DOI value must be specified and if the "trans"
110 or "pass" configurations are specified then a list of the CIPSO/IPv4
111 tag types to use when generating the CIPSO/IPv4 packet labels must also
112 be specified. The list of CIPSO/IPv4 tags is ordered such that when
113 possible the first tag type listed is used when a CIPSO/IPv4 label is
114 generated. However, if it is not possible to use the first tag type
115 then each tag type is checked, in order, until a suitable tag type is
116 found. If a valid tag type can not be found then the operation causing
117 the CIPSO/IPv4 label will fail, typically this occurs whenever a new
118 socket is created. The different commands and their syntax are listed
119 below.
120 add trans doi:<DOI> tags:<T1>,<Tn> levels:<LL1>=<RL1>,<LLn>=<RLn> cate‐
122 gories:<LC1>=<RC1>,<LCn>=<RCn>
123 Add a new CIPSO/IPv4 configuration using the standard/translated
124 mapping with the given level and category translations. The
125 levels are translated in such a way that the local level "LLn"
126 is translated to the remote, on-the-wire level of "RLn"; the
127 reverse translation is done for incoming packets. The same
128 translation is done for the categories using "LCn" and "RCn".
129 In order for a packet to be accepted, or a socket created by an
130 application, there must be a translation for the sensitivity
131 level and all the categories present in the MLS sensitivity
132 label; if the entire requested sensitivity label can not be
133 translated the application will fail.
134 add pass doi:<DOI> tags:<T1>,<Tn>
136 Add a new CIPSO/IPv4 configuration without any level or category
137 translations.
138 add local doi:<DOI>
140 Add a new CIPSO/IPv4 configuration for localhost/loopback con‐
141 nections.
142 del doi:<DOI>
144 Delete an existing CIPSO/IPv4 configuration with the given DOI
145 value. If any LSM domain mappings are present which make use of
146 this DOI they will also be deleted.
147 list [doi:<DOI>]
149 Display a list of all the CIPSO/IPv4 configurations or just the
150 configuration matching the optionally specified DOI.
151
153 Returns zero on success, errno values on failure.
154
156 netlabelctl cipsov4 add pass doi:16 tags:1
157 Add a CIPSO/IPv4 configuration with a DOI value of "16", using
158 CIPSO tag "1" (the permissive bitmap tag). The CIPSO and LSM lev‐
159 els/categories are passed through the NetLabel subsystem without
160 any translation.
161 netlabelctl cipsov4 add trans doi:8 tags:1 levels:0=0,1=1 cate‐
163 gories:0=1,1=0
164 Add a CIPSO/IPv4 configuration with a DOI value of "8", using
165 CIPSO tag "1" (the permissive bitmap tag). The specified mapping
166 converts local LSM levels "0" and "1" to CIPSO levels "0" and "1"
167 respectively while local LSM categories "0" and "1" are mapped to
168 CIPSO categories "1" and "0" respectively.
169 netlabelctl -p cipsov4 list
171 Display all of the CIPSO/IPv4 configurations in a human readable
172 format.
173 netlabelctl -p cipsov4 list doi:16
175 Display specific information about the CIPSO/IPv4 DOI 16 configu‐
176 ration.
177 netlabelctl cipsov4 del doi:8
179 Delete the CIPSO/IPv4 configuration assigned to DOI 8. In addi‐
180 tion to removing the CIPSO/IPv4 configuration any domain mappings
181 using this configuration will also be removed.
182 netlabelctl map add domain:lsm_domain protocol:cipsov4,8
184 Add a domain mapping so that all outgoing packets sent from the
185 "lsm_domain" will be labeled according to the CIPSO/IPv4 protocol
186 using DOI 8.
187 netlabelctl map add domain:lsm_domain address:192.168.1.0/24 proto‐
189 col:cipsov4,8
190 Add a mapping so that all outgoing packets sent from the
191 "lsm_domain" to the 192.168.1.0/24 network will be labeled accord‐
192 ing to the CIPSO/IPv4 protocol using DOI 8.
193 netlabelctl -p map list
195 Display all of the domain mappings in a human readable format.
196 netlabelctl del domain:lsm_domain
198 Delete the domain mapping for the "lsm_domain", packets sent from
199 the "lsm_domain" will fallback to the default NetLabel mapping.
200 netlabelctl unlbl add interface:lo address:::1 label:foo
202 Add a static/fallback label to assign the "foo" security label to
203 unlabeled packets entering the system over the "lo" (loopback)
204 interface with an IPv6 source address of "::1" (localhost).
205 netlabelctl unlbl add default address:192.168.0.0/16 label:bar
207 Add a static/fallback label to assign the "bar" security label to
208 unlabeled packets entering the system over any interface with an
209 IPv4 source address in the 192.168.0.0/16 network.
210
212 The NetLabel subsystem is supported on Linux Kernels version 2.6.19 and
213 later. The static, or fallback, labels are only supported on Linux
214 Kernels version 2.6.25 and later. The domain mapping address selectors
215 are only supported on Linux Kernels 2.6.28 and later.
216 The NetLabel project site, with more information including the source
218 code repository, can be found at http://netlabel.sf.net. This program
219 is currently under development, please report any bugs at the project
220 site or directly to the author.
221
223 Paul Moore <paul@paul-moore.com>
224
226 netlabel-config(8)
227paul@paul-moore.com 31 May 2013 netlabelctl(8)