1netlabelctl(8)              NetLabel Documentation              netlabelctl(8)
2
3
4

NAME

6       netlabelctl - NetLabel management utility
7

SYNOPSIS

9       netlabelctl [<global_flags>] <module> [<module_commands>]
10

DESCRIPTION

12       The NetLabel management utility, netlabelctl, is a command line program
13       designed to allow system administrators to configure the NetLabel  sys‐
14       tem  in  the  kernel.   The utility is based around different "modules"
15       which correspond to the different types of NetLabel commands  supported
16       by the kernel.
17

OPTIONS

19   Global Flags
20       -h   Help message
21
22       -p   Attempt to make the output human readable or "pretty"
23
24       -t <seconds>
25            Set  a  timeout to be used when waiting for the NetLabel subsystem
26            to respond
27
28       -v   Enable extra output
29
30       -V   Display the version information
31
32   Modules and Commands
33       mgmt
34
35       The management module is used to perform general queries about the Net‐
36       Label  subsystem  within  the kernel.  The different commands and their
37       syntax are listed below.
38
39       version
40              Display the kernel's NetLabel management protocol version.
41
42       protocols
43              Display the kernel's list of supported labeling protocols.
44
45       map
46
47       The domain mapping module is used to map  different  NetLabel  labeling
48       protocols  to  either individual LSM domains or the default domain map‐
49       ping.  It is up to each LSM to determine what defines a  domain.   With
50       SELinux,  the  normal SELinux domain should be used, i.e. "ping_t".  In
51       addition to protocol selection based only on the LSM domain, it is also
52       possible  to  select the labeling protocol based on both the LSM domain
53       and destination address.  The network  address  selectors  can  specify
54       either single hosts or entire networks and work for both IPv4 and IPv6,
55       although the labeling protocol chosen must support the IP version  cho‐
56       sen.   When  specifying  the  labeling protocol to use for each mapping
57       there is an optional "extra" field which is used  to  further  identify
58       the  specific  labeling  protocol  configuration.   When specifying the
59       unlabeled protocol, "unlbl", an extra value of either "4" or "6" may be
60       used.   This restricts the mapping to IPv4 or IPv6 addresses.  Omitting
61       the extra value will result in a  mapping  for  all  address  families.
62       When specifying the CIPSO/IPv4 or the CALIPSO/IPv6 protocol, "cipso" or
63       "calipso", the DOI value should be specified; see the EXAMPLES  section
64       for details.  The different commands and their syntax are listed below.
65
66       add  default|domain:<domain> [address:<ADDR>[/<MASK>]] protocol:<proto‐
67              col>[,<extra>]
68              Add a new LSM domain / network address to NetLabel protocol map‐
69              ping.
70
71       del default|domain:<domain>
72              Delete an existing LSM domain to NetLabel protocol mapping.
73
74       list
75              Display  all  of  the configured LSM domain to NetLabel protocol
76              mappings.
77
78       unlbl
79
80       The unlabeled (unlbl) module controls the unlabeled protocol  which  is
81       used both when labeling outgoing traffic is not desired as well as when
82       unlabeled traffic is received by the system.  This module allows admin‐
83       istrators  to  block  all unlabeled packets from the system through the
84       "accept" flag and assign static, or fallback, security labels to  unla‐
85       beled  traffic  based  on  the  inbound  network  interface  and source
86       address.
87
88       accept on|off
89              Toggle the unlabeled traffic accept flag.
90
91       add default|interface:<dev> address:<addr>[/<mask>] label:<label>
92              Add a new static/fallback entry.
93
94       del default|interface:<dev> address:<addr>[/<mask>]
95              Delete an existing static/fallback entry.
96
97       list
98              Display the status of the unlabeled accept flag.
99
100       cipso
101
102       The CIPSO/IPv4 (cipso) module controls the CIPSO/IPv4  labeling  engine
103       in  the  kernel.   The  CIPSO/IPv4 engine provided by NetLabel supports
104       multiple Domains Of Interpretation  (DOI)  and  the  CIPSO/IPv4  module
105       allows for different configurations for each DOI.  At present there are
106       three types of configurations, the "trans" configuration  which  allows
107       on-the-fly translation of MLS sensitivity labels, the "pass" configura‐
108       tion which does not perform any  translation  of  the  MLS  sensitivity
109       label and the "local" configuration which conveys the full LSM security
110       label over localhost/loopback connections.  Regardless of which config‐
111       uration type is chosen a DOI value must be specified and if the "trans"
112       or "pass" configurations are specified then a list  of  the  CIPSO/IPv4
113       tag types to use when generating the CIPSO/IPv4 packet labels must also
114       be specified.  The list of CIPSO/IPv4 tags is ordered  such  that  when
115       possible  the  first tag type listed is used when a CIPSO/IPv4 label is
116       generated.  However, if it is not possible to use the  first  tag  type
117       then  each  tag type is checked, in order, until a suitable tag type is
118       found.  If a valid tag type can not be found then the operation causing
119       the  CIPSO/IPv4  label  will fail, typically this occurs whenever a new
120       socket is created.  The different commands and their syntax are  listed
121       below.
122
123       add trans doi:<DOI> tags:<T1>,<Tn> levels:<LL1>=<RL1>,<LLn>=<RLn> cate‐
124              gories:<LC1>=<RC1>,<LCn>=<RCn>
125              Add a new CIPSO/IPv4 configuration using the standard/translated
126              mapping  with  the  given  level and category translations.  The
127              levels are translated in such a way that the local  level  "LLn"
128              is  translated  to  the  remote, on-the-wire level of "RLn"; the
129              reverse translation is done  for  incoming  packets.   The  same
130              translation  is  done  for the categories using "LCn" and "RCn".
131              In order for a packet to be accepted, or a socket created by  an
132              application,  there  must  be  a translation for the sensitivity
133              level and all the categories  present  in  the  MLS  sensitivity
134              label;  if  the  entire  requested  sensitivity label can not be
135              translated the application will fail.
136
137       add pass doi:<DOI> tags:<T1>,<Tn>
138              Add a new CIPSO/IPv4 configuration without any level or category
139              translations.
140
141       add local doi:<DOI>
142              Add  a  new CIPSO/IPv4 configuration for localhost/loopback con‐
143              nections.
144
145       del doi:<DOI>
146              Delete an existing CIPSO/IPv4 configuration with the  given  DOI
147              value.  If any LSM domain mappings are present which make use of
148              this DOI they will also be deleted.
149
150       list [doi:<DOI>]
151              Display a list of all the CIPSO/IPv4 configurations or just  the
152              configuration matching the optionally specified DOI.
153
154       calipso
155
156       The  CALIPSO/IPv6  (calipso)  module controls the CALIPSO/IPv6 labeling
157       engine in the kernel.  This behaves  in  a  very  similar  way  to  the
158       CIPSO/IPv4  engine,  however  the  protocol only specifies one tag-type
159       (equivalent to CIPSO tag-type 1) and so  the  tag-type  should  not  be
160       specified.   In addition there is no support for the "local" or "trans"
161       configuration.  The different commands  and  their  syntax  are  listed
162       below.
163
164       add pass doi:<DOI>
165              Add  a new CALIPSO/IPv6 configuration without any level or cate‐
166              gory translations.
167
168       del doi:<DOI>
169              Delete an existing CALIPSO/IPv6 configuration with the given DOI
170              value.  If any LSM domain mappings are present which make use of
171              this DOI they will also be deleted.
172
173       list [doi:<DOI>]
174              Display a list of all the CALIPSO/IPv6  configurations  or  just
175              the configuration matching the optionally specified DOI.
176

EXIT STATUS

178       Returns zero on success, errno values on failure.
179

EXAMPLES

181       netlabelctl cipso add pass doi:16 tags:1
182            Add  a  CIPSO/IPv4  configuration  with a DOI value of "16", using
183            CIPSO tag "1" (the permissive bitmap tag).  The CIPSO and LSM lev‐
184            els/categories  are  passed through the NetLabel subsystem without
185            any translation.
186
187       netlabelctl  cipso  add  trans  doi:8   tags:1   levels:0=0,1=1   cate‐
188            gories:0=1,1=0
189            Add  a  CIPSO/IPv4  configuration  with  a DOI value of "8", using
190            CIPSO tag "1" (the permissive bitmap tag).  The specified  mapping
191            converts  local LSM levels "0" and "1" to CIPSO levels "0" and "1"
192            respectively while local LSM categories "0" and "1" are mapped  to
193            CIPSO categories "1" and "0" respectively.
194
195       netlabelctl -p cipso list
196            Display  all  of the CIPSO/IPv4 configurations in a human readable
197            format.
198
199       netlabelctl -p cipso list doi:16
200            Display specific information about the CIPSO/IPv4 DOI 16  configu‐
201            ration.
202
203       netlabelctl cipso del doi:8
204            Delete  the  CIPSO/IPv4 configuration assigned to DOI 8.  In addi‐
205            tion to removing the CIPSO/IPv4 configuration any domain  mappings
206            using this configuration will also be removed.
207
208       netlabelctl map add domain:lsm_domain protocol:cipso,8
209            Add  a  domain  mapping so that all outgoing packets sent from the
210            "lsm_domain" will be labeled according to the CIPSO/IPv4  protocol
211            using DOI 8.
212
213       netlabelctl  map  add  domain:lsm_domain  address:192.168.1.0/24 proto‐
214            col:cipso,8
215            Add  a  mapping  so  that  all  outgoing  packets  sent  from  the
216            "lsm_domain" to the 192.168.1.0/24 network will be labeled accord‐
217            ing to the CIPSO/IPv4 protocol using DOI 8.
218
219       netlabelctl -p map list
220            Display all of the domain mappings in a human readable format.
221
222       netlabelctl del domain:lsm_domain
223            Delete the domain mapping for the "lsm_domain", packets sent  from
224            the "lsm_domain" will fallback to the default NetLabel mapping.
225
226       netlabelctl unlbl add interface:lo address:::1 label:foo
227            Add  a static/fallback label to assign the "foo" security label to
228            unlabeled packets entering the system  over  the  "lo"  (loopback)
229            interface with an IPv6 source address of "::1" (localhost).
230
231       netlabelctl unlbl add default address:192.168.0.0/16 label:bar
232            Add  a static/fallback label to assign the "bar" security label to
233            unlabeled packets entering the system over any interface  with  an
234            IPv4 source address in the 192.168.0.0/16 network.
235

NOTES

237       The NetLabel subsystem is supported on Linux Kernels version 2.6.19 and
238       later.  The static, or fallback, labels are  only  supported  on  Linux
239       Kernels version 2.6.25 and later.  The domain mapping address selectors
240       are  only  supported  on   Linux   Kernels   2.6.28   and   later   and
241       CALIPSO/RFC5570 is only supported on Linux Kernels 4.8.0 and later.
242
243       The  NetLabel  project site, with more information including the source
244       code repository, can be found at  https://github.com/netlabel.   Please
245       report any bugs at the project site or directly to the author.
246

AUTHOR

248       Paul Moore <paul@paul-moore.com>
249

SEE ALSO

251       netlabel-config(8)
252
253
254
255paul@paul-moore.com               31 May 2013                   netlabelctl(8)
Impressum