1netlabelctl(8) NetLabel Documentation netlabelctl(8)
2
6 netlabelctl - NetLabel management utility
7
9 netlabelctl [<global_flags>] <module> [<module_commands>]
10
12 The NetLabel management utility, netlabelctl, is a command line program
13 designed to allow system administrators to configure the NetLabel sys‐
14 tem in the kernel. The utility is based around different "modules"
15 which correspond to the different types of NetLabel commands supported
16 by the kernel.
17
19 Global Flags
20 -h Help message
21 -p Attempt to make the output human readable or "pretty"
23 -t <seconds>
25 Set a timeout to be used when waiting for the NetLabel subsystem
26 to respond
27 -v Enable extra output
29 -V Display the version information
31 Modules and Commands
33 mgmt
34 The management module is used to perform general queries about the Net‐
36 Label subsystem within the kernel. The different commands and their
37 syntax are listed below.
38 version
40 Display the kernel's NetLabel management protocol version.
41 protocols
43 Display the kernel's list of supported labeling protocols.
44 map
46 The domain mapping module is used to map different NetLabel labeling
48 protocols to either individual LSM domains or the default domain map‐
49 ping. It is up to each LSM to determine what defines a domain. With
50 SELinux, the normal SELinux domain should be used, i.e. "ping_t". In
51 addition to protocol selection based only on the LSM domain, it is also
52 possible to select the labeling protocol based on both the LSM domain
53 and destination address. The network address selectors can specify
54 either single hosts or entire networks and work for both IPv4 and IPv6,
55 although the labeling protocol chosen must support the IP version cho‐
56 sen. When specifying the labeling protocol to use for each mapping
57 there is an optional "extra" field which is used to further identify
58 the specific labeling protocol configuration. When specifying the
59 unlabeled protocol, "unlbl", an extra value of either "4" or "6" may be
60 used. This restricts the mapping to IPv4 or IPv6 addresses. Omitting
61 the extra value will result in a mapping for all address families.
62 When specifying the CIPSO/IPv4 or the CALIPSO/IPv6 protocol, "cipso" or
63 "calipso", the DOI value should be specified; see the EXAMPLES section
64 for details. The different commands and their syntax are listed below.
65 add default|domain:<domain> [address:<ADDR>[/<MASK>]] protocol:<proto‐
67 col>[,<extra>]
68 Add a new LSM domain / network address to NetLabel protocol map‐
69 ping.
70 del default|domain:<domain>
72 Delete an existing LSM domain to NetLabel protocol mapping.
73 list
75 Display all of the configured LSM domain to NetLabel protocol
76 mappings.
77 unlbl
79 The unlabeled (unlbl) module controls the unlabeled protocol which is
81 used both when labeling outgoing traffic is not desired as well as when
82 unlabeled traffic is received by the system. This module allows admin‐
83 istrators to block all unlabeled packets from the system through the
84 "accept" flag and assign static, or fallback, security labels to unla‐
85 beled traffic based on the inbound network interface and source
86 address.
87 accept on|off
89 Toggle the unlabeled traffic accept flag.
90 add default|interface:<dev> address:<addr>[/<mask>] label:<label>
92 Add a new static/fallback entry.
93 del default|interface:<dev> address:<addr>[/<mask>]
95 Delete an existing static/fallback entry.
96 list
98 Display the status of the unlabeled accept flag.
99 cipso
101 The CIPSO/IPv4 (cipso) module controls the CIPSO/IPv4 labeling engine
103 in the kernel. The CIPSO/IPv4 engine provided by NetLabel supports
104 multiple Domains Of Interpretation (DOI) and the CIPSO/IPv4 module
105 allows for different configurations for each DOI. At present there are
106 three types of configurations, the "trans" configuration which allows
107 on-the-fly translation of MLS sensitivity labels, the "pass" configura‐
108 tion which does not perform any translation of the MLS sensitivity
109 label and the "local" configuration which conveys the full LSM security
110 label over localhost/loopback connections. Regardless of which config‐
111 uration type is chosen a DOI value must be specified and if the "trans"
112 or "pass" configurations are specified then a list of the CIPSO/IPv4
113 tag types to use when generating the CIPSO/IPv4 packet labels must also
114 be specified. The list of CIPSO/IPv4 tags is ordered such that when
115 possible the first tag type listed is used when a CIPSO/IPv4 label is
116 generated. However, if it is not possible to use the first tag type
117 then each tag type is checked, in order, until a suitable tag type is
118 found. If a valid tag type can not be found then the operation causing
119 the CIPSO/IPv4 label will fail, typically this occurs whenever a new
120 socket is created. The different commands and their syntax are listed
121 below.
122 add trans doi:<DOI> tags:<T1>,<Tn> levels:<LL1>=<RL1>,<LLn>=<RLn> cate‐
124 gories:<LC1>=<RC1>,<LCn>=<RCn>
125 Add a new CIPSO/IPv4 configuration using the standard/translated
126 mapping with the given level and category translations. The
127 levels are translated in such a way that the local level "LLn"
128 is translated to the remote, on-the-wire level of "RLn"; the
129 reverse translation is done for incoming packets. The same
130 translation is done for the categories using "LCn" and "RCn".
131 In order for a packet to be accepted, or a socket created by an
132 application, there must be a translation for the sensitivity
133 level and all the categories present in the MLS sensitivity
134 label; if the entire requested sensitivity label can not be
135 translated the application will fail.
136 add pass doi:<DOI> tags:<T1>,<Tn>
138 Add a new CIPSO/IPv4 configuration without any level or category
139 translations.
140 add local doi:<DOI>
142 Add a new CIPSO/IPv4 configuration for localhost/loopback con‐
143 nections.
144 del doi:<DOI>
146 Delete an existing CIPSO/IPv4 configuration with the given DOI
147 value. If any LSM domain mappings are present which make use of
148 this DOI they will also be deleted.
149 list [doi:<DOI>]
151 Display a list of all the CIPSO/IPv4 configurations or just the
152 configuration matching the optionally specified DOI.
153 calipso
155 The CALIPSO/IPv6 (calipso) module controls the CALIPSO/IPv6 labeling
157 engine in the kernel. This behaves in a very similar way to the
158 CIPSO/IPv4 engine, however the protocol only specifies one tag-type
159 (equivalent to CIPSO tag-type 1) and so the tag-type should not be
160 specified. In addition there is no support for the "local" or "trans"
161 configuration. The different commands and their syntax are listed
162 below.
163 add pass doi:<DOI>
165 Add a new CALIPSO/IPv6 configuration without any level or cate‐
166 gory translations.
167 del doi:<DOI>
169 Delete an existing CALIPSO/IPv6 configuration with the given DOI
170 value. If any LSM domain mappings are present which make use of
171 this DOI they will also be deleted.
172 list [doi:<DOI>]
174 Display a list of all the CALIPSO/IPv6 configurations or just
175 the configuration matching the optionally specified DOI.
176
178 Returns zero on success, errno values on failure.
179
181 netlabelctl cipso add pass doi:16 tags:1
182 Add a CIPSO/IPv4 configuration with a DOI value of "16", using
183 CIPSO tag "1" (the permissive bitmap tag). The CIPSO and LSM lev‐
184 els/categories are passed through the NetLabel subsystem without
185 any translation.
186 netlabelctl cipso add trans doi:8 tags:1 levels:0=0,1=1 cate‐
188 gories:0=1,1=0
189 Add a CIPSO/IPv4 configuration with a DOI value of "8", using
190 CIPSO tag "1" (the permissive bitmap tag). The specified mapping
191 converts local LSM levels "0" and "1" to CIPSO levels "0" and "1"
192 respectively while local LSM categories "0" and "1" are mapped to
193 CIPSO categories "1" and "0" respectively.
194 netlabelctl -p cipso list
196 Display all of the CIPSO/IPv4 configurations in a human readable
197 format.
198 netlabelctl -p cipso list doi:16
200 Display specific information about the CIPSO/IPv4 DOI 16 configu‐
201 ration.
202 netlabelctl cipso del doi:8
204 Delete the CIPSO/IPv4 configuration assigned to DOI 8. In addi‐
205 tion to removing the CIPSO/IPv4 configuration any domain mappings
206 using this configuration will also be removed.
207 netlabelctl map add domain:lsm_domain protocol:cipso,8
209 Add a domain mapping so that all outgoing packets sent from the
210 "lsm_domain" will be labeled according to the CIPSO/IPv4 protocol
211 using DOI 8.
212 netlabelctl map add domain:lsm_domain address:192.168.1.0/24 proto‐
214 col:cipso,8
215 Add a mapping so that all outgoing packets sent from the
216 "lsm_domain" to the 192.168.1.0/24 network will be labeled accord‐
217 ing to the CIPSO/IPv4 protocol using DOI 8.
218 netlabelctl -p map list
220 Display all of the domain mappings in a human readable format.
221 netlabelctl del domain:lsm_domain
223 Delete the domain mapping for the "lsm_domain", packets sent from
224 the "lsm_domain" will fallback to the default NetLabel mapping.
225 netlabelctl unlbl add interface:lo address:::1 label:foo
227 Add a static/fallback label to assign the "foo" security label to
228 unlabeled packets entering the system over the "lo" (loopback)
229 interface with an IPv6 source address of "::1" (localhost).
230 netlabelctl unlbl add default address:192.168.0.0/16 label:bar
232 Add a static/fallback label to assign the "bar" security label to
233 unlabeled packets entering the system over any interface with an
234 IPv4 source address in the 192.168.0.0/16 network.
235
237 The NetLabel subsystem is supported on Linux Kernels version 2.6.19 and
238 later. The static, or fallback, labels are only supported on Linux
239 Kernels version 2.6.25 and later. The domain mapping address selectors
240 are only supported on Linux Kernels 2.6.28 and later and
241 CALIPSO/RFC5570 is only supported on Linux Kernels 4.8.0 and later.
242 The NetLabel project site, with more information including the source
244 code repository, can be found at https://github.com/netlabel. Please
245 report any bugs at the project site or directly to the author.
246
248 Paul Moore <paul@paul-moore.com>
249
251 netlabel-config(8)
252paul@paul-moore.com 31 May 2013 netlabelctl(8)