|
Packit |
51d0f7 |
.TH "netlabelctl" 8 "31 May 2013" "paul@paul-moore.com" "NetLabel Documentation"
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.SH NAME
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
netlabelctl \- NetLabel management utility
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.SH SYNOPSIS
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.B netlabelctl
|
|
Packit |
51d0f7 |
[<global_flags>] <module> [<module_commands>]
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.SH DESCRIPTION
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.P
|
|
Packit |
51d0f7 |
The NetLabel management utility, netlabelctl, is a command line program
|
|
Packit |
51d0f7 |
designed to allow system administrators to configure the NetLabel system in the
|
|
Packit |
51d0f7 |
kernel. The utility is based around different "modules" which correspond to
|
|
Packit |
51d0f7 |
the different types of NetLabel commands supported by the kernel.
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.SH OPTIONS
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.SS Global Flags
|
|
Packit |
51d0f7 |
.TP 5
|
|
Packit |
51d0f7 |
.B \-h
|
|
Packit |
51d0f7 |
Help message
|
|
Packit |
51d0f7 |
.TP 5
|
|
Packit |
51d0f7 |
.B \-p
|
|
Packit |
51d0f7 |
Attempt to make the output human readable or "pretty"
|
|
Packit |
51d0f7 |
.TP 5
|
|
Packit |
51d0f7 |
.B \-t <seconds>
|
|
Packit |
51d0f7 |
Set a timeout to be used when waiting for the NetLabel subsystem to respond
|
|
Packit |
51d0f7 |
.TP 5
|
|
Packit |
51d0f7 |
.B \-v
|
|
Packit |
51d0f7 |
Enable extra output
|
|
Packit |
51d0f7 |
.TP 5
|
|
Packit |
51d0f7 |
.B \-V
|
|
Packit |
51d0f7 |
Display the version information
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.SS Modules and Commands
|
|
Packit |
51d0f7 |
.TP 5
|
|
Packit |
51d0f7 |
.B mgmt
|
|
Packit |
51d0f7 |
.P
|
|
Packit |
51d0f7 |
The management module is used to perform general queries about the NetLabel
|
|
Packit |
51d0f7 |
subsystem within the kernel. The different commands and their syntax are
|
|
Packit |
51d0f7 |
listed below.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I version
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Display the kernel's NetLabel management protocol version.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I protocols
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Display the kernel's list of supported labeling protocols.
|
|
Packit |
51d0f7 |
.TP 5
|
|
Packit |
51d0f7 |
.B map
|
|
Packit |
51d0f7 |
.P
|
|
Packit |
51d0f7 |
The domain mapping module is used to map different NetLabel labeling protocols
|
|
Packit |
51d0f7 |
to either individual LSM domains or the default domain mapping. It is up to
|
|
Packit |
51d0f7 |
each LSM to determine what defines a domain. With SELinux, the normal SELinux
|
|
Packit |
51d0f7 |
domain should be used, i.e. "ping_t". In addition to protocol selection based
|
|
Packit |
51d0f7 |
only on the LSM domain, it is also possible to select the labeling protocol
|
|
Packit |
51d0f7 |
based on both the LSM domain and destination address. The network address
|
|
Packit |
51d0f7 |
selectors can specify either single hosts or entire networks and work for both
|
|
Packit |
51d0f7 |
IPv4 and IPv6, although the labeling protocol chosen must support the IP
|
|
Packit |
51d0f7 |
version chosen. When specifying the labeling protocol to use for each mapping
|
|
Packit |
51d0f7 |
there is an optional "extra" field which is used to further identify the
|
|
Packit |
51d0f7 |
specific labeling protocol configuration. When specifying the unlabeled
|
|
Packit |
51d0f7 |
protocol, "unlbl", an extra value of either "4" or "6" may be used. This
|
|
Packit |
51d0f7 |
restricts the mapping to IPv4 or IPv6 addresses. Omitting the extra value will
|
|
Packit |
51d0f7 |
result in a mapping for all address families. When specifying the CIPSO/IPv4
|
|
Packit |
51d0f7 |
or the CALIPSO/IPv6 protocol, "cipso" or "calipso", the DOI value should be
|
|
Packit |
51d0f7 |
specified; see the EXAMPLES section for details. The different commands and their
|
|
Packit |
51d0f7 |
syntax are listed below.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I add default|domain:<domain> [address:<ADDR>[/<MASK>]] protocol:<protocol>[,<extra>]
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a new LSM domain / network address to NetLabel protocol mapping.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I del default|domain:<domain>
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Delete an existing LSM domain to NetLabel protocol mapping.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I list
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Display all of the configured LSM domain to NetLabel protocol mappings.
|
|
Packit |
51d0f7 |
.TP 5
|
|
Packit |
51d0f7 |
.B unlbl
|
|
Packit |
51d0f7 |
.P
|
|
Packit |
51d0f7 |
The unlabeled (unlbl) module controls the unlabeled protocol which is used both
|
|
Packit |
51d0f7 |
when labeling outgoing traffic is not desired as well as when unlabeled
|
|
Packit |
51d0f7 |
traffic is received by the system. This module allows administrators to block
|
|
Packit |
51d0f7 |
all unlabeled packets from the system through the "accept" flag and assign
|
|
Packit |
51d0f7 |
static, or fallback, security labels to unlabeled traffic based on the inbound
|
|
Packit |
51d0f7 |
network interface and source address.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I accept on|off
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Toggle the unlabeled traffic accept flag.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I add default|interface:<dev> address:<addr>[/<mask>] label:<label>
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a new static/fallback entry.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I del default|interface:<dev> address:<addr>[/<mask>]
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Delete an existing static/fallback entry.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I list
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Display the status of the unlabeled accept flag.
|
|
Packit |
51d0f7 |
.TP 5
|
|
Packit |
51d0f7 |
.B cipso
|
|
Packit |
51d0f7 |
.P
|
|
Packit |
51d0f7 |
The CIPSO/IPv4 (cipso) module controls the CIPSO/IPv4 labeling engine in the
|
|
Packit |
51d0f7 |
kernel. The CIPSO/IPv4 engine provided by NetLabel supports multiple Domains
|
|
Packit |
51d0f7 |
Of Interpretation (DOI) and the CIPSO/IPv4 module allows for different
|
|
Packit |
51d0f7 |
configurations for each DOI. At present there are three types of
|
|
Packit |
51d0f7 |
configurations, the "trans" configuration which allows on\-the\-fly translation
|
|
Packit |
51d0f7 |
of MLS sensitivity labels, the "pass" configuration which does not perform any
|
|
Packit |
51d0f7 |
translation of the MLS sensitivity label and the "local" configuration which
|
|
Packit |
51d0f7 |
conveys the full LSM security label over localhost/loopback connections.
|
|
Packit |
51d0f7 |
Regardless of which configuration type is chosen a DOI value must be specified
|
|
Packit |
51d0f7 |
and if the "trans" or "pass" configurations are specified then a list of the
|
|
Packit |
51d0f7 |
CIPSO/IPv4 tag types to use when generating the CIPSO/IPv4 packet labels must
|
|
Packit |
51d0f7 |
also be specified. The list of CIPSO/IPv4 tags is ordered such that when
|
|
Packit |
51d0f7 |
possible the first tag type listed is used when a CIPSO/IPv4 label is generated.
|
|
Packit |
51d0f7 |
However, if it is not possible to use the first tag type then each tag type is
|
|
Packit |
51d0f7 |
checked, in order, until a suitable tag type is found. If a valid tag type can
|
|
Packit |
51d0f7 |
not be found then the operation causing the CIPSO/IPv4 label will fail,
|
|
Packit |
51d0f7 |
typically this occurs whenever a new socket is created. The different commands
|
|
Packit |
51d0f7 |
and their syntax are listed below.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I add trans doi:<DOI> tags:<T1>,<Tn> levels:<LL1>=<RL1>,<LLn>=<RLn> categories:<LC1>=<RC1>,<LCn>=<RCn>
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a new CIPSO/IPv4 configuration using the standard/translated mapping with
|
|
Packit |
51d0f7 |
the given level and category translations. The levels are translated in such a
|
|
Packit |
51d0f7 |
way that the local level "LLn" is translated to the remote, on\-the\-wire level
|
|
Packit |
51d0f7 |
of "RLn"; the reverse translation is done for incoming packets. The same
|
|
Packit |
51d0f7 |
translation is done for the categories using "LCn" and "RCn". In order for a
|
|
Packit |
51d0f7 |
packet to be accepted, or a socket created by an application, there must be a
|
|
Packit |
51d0f7 |
translation for the sensitivity level and all the categories present in the MLS
|
|
Packit |
51d0f7 |
sensitivity label; if the entire requested sensitivity label can not be
|
|
Packit |
51d0f7 |
translated the application will fail.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I add pass doi:<DOI> tags:<T1>,<Tn>
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a new CIPSO/IPv4 configuration without any level or category translations.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I add local doi:<DOI>
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a new CIPSO/IPv4 configuration for localhost/loopback connections.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I del doi:<DOI>
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Delete an existing CIPSO/IPv4 configuration with the given DOI value. If any
|
|
Packit |
51d0f7 |
LSM domain mappings are present which make use of this DOI they will also be
|
|
Packit |
51d0f7 |
deleted.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I list [doi:<DOI>]
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Display a list of all the CIPSO/IPv4 configurations or just the configuration
|
|
Packit |
51d0f7 |
matching the optionally specified DOI.
|
|
Packit |
51d0f7 |
.TP 5
|
|
Packit |
51d0f7 |
.B calipso
|
|
Packit |
51d0f7 |
.P
|
|
Packit |
51d0f7 |
The CALIPSO/IPv6 (calipso) module controls the CALIPSO/IPv6 labeling engine in the
|
|
Packit |
51d0f7 |
kernel. This behaves in a very similar way to the CIPSO/IPv4 engine, however the
|
|
Packit |
51d0f7 |
protocol only specifies one tag-type (equivalent to CIPSO tag-type 1) and so the
|
|
Packit |
51d0f7 |
tag-type should not be specified. In addition there is no support for the "local"
|
|
Packit |
51d0f7 |
or "trans" configuration. The different commands and their syntax are listed below.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I add pass doi:<DOI>
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a new CALIPSO/IPv6 configuration without any level or category translations.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I del doi:<DOI>
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Delete an existing CALIPSO/IPv6 configuration with the given DOI value. If any
|
|
Packit |
51d0f7 |
LSM domain mappings are present which make use of this DOI they will also be
|
|
Packit |
51d0f7 |
deleted.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I list [doi:<DOI>]
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Display a list of all the CALIPSO/IPv6 configurations or just the configuration
|
|
Packit |
51d0f7 |
matching the optionally specified DOI.
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.SH EXIT STATUS
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
Returns zero on success, errno values on failure.
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.SH "EXAMPLES"
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.TP 5
|
|
Packit |
51d0f7 |
.I netlabelctl cipso add pass doi:16 tags:1
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a CIPSO/IPv4 configuration with a DOI value of "16", using CIPSO tag "1"
|
|
Packit |
51d0f7 |
(the permissive bitmap tag). The CIPSO and LSM levels/categories are passed
|
|
Packit |
51d0f7 |
through the NetLabel subsystem without any translation.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I netlabelctl cipso add trans doi:8 tags:1 levels:0=0,1=1 categories:0=1,1=0
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a CIPSO/IPv4 configuration with a DOI value of "8", using CIPSO tag "1"
|
|
Packit |
51d0f7 |
(the permissive bitmap tag). The specified mapping converts local LSM levels
|
|
Packit |
51d0f7 |
"0" and "1" to CIPSO levels "0" and "1" respectively while local LSM categories
|
|
Packit |
51d0f7 |
"0" and "1" are mapped to CIPSO categories "1" and "0" respectively.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I netlabelctl \-p cipso list
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Display all of the CIPSO/IPv4 configurations in a human readable format.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I netlabelctl \-p cipso list doi:16
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Display specific information about the CIPSO/IPv4 DOI 16 configuration.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I netlabelctl cipso del doi:8
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Delete the CIPSO/IPv4 configuration assigned to DOI 8. In addition to
|
|
Packit |
51d0f7 |
removing the CIPSO/IPv4 configuration any domain mappings using this
|
|
Packit |
51d0f7 |
configuration will also be removed.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I netlabelctl map add domain:lsm_domain protocol:cipso,8
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a domain mapping so that all outgoing packets sent from the "lsm_domain"
|
|
Packit |
51d0f7 |
will be labeled according to the CIPSO/IPv4 protocol using DOI 8.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I netlabelctl map add domain:lsm_domain address:192.168.1.0/24 protocol:cipso,8
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a mapping so that all outgoing packets sent from the "lsm_domain" to the
|
|
Packit |
51d0f7 |
192.168.1.0/24 network will be labeled according to the CIPSO/IPv4 protocol
|
|
Packit |
51d0f7 |
using DOI 8.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I netlabelctl \-p map list
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Display all of the domain mappings in a human readable format.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I netlabelctl del domain:lsm_domain
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Delete the domain mapping for the "lsm_domain", packets sent from the
|
|
Packit |
51d0f7 |
"lsm_domain" will fallback to the default NetLabel mapping.
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I netlabelctl unlbl add interface:lo address:::1 label:foo
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a static/fallback label to assign the "foo" security label to unlabeled
|
|
Packit |
51d0f7 |
packets entering the system over the "lo" (loopback) interface with an IPv6
|
|
Packit |
51d0f7 |
source address of "::1" (localhost).
|
|
Packit |
51d0f7 |
.HP
|
|
Packit |
51d0f7 |
.I netlabelctl unlbl add default address:192.168.0.0/16 label:bar
|
|
Packit |
51d0f7 |
.br
|
|
Packit |
51d0f7 |
Add a static/fallback label to assign the "bar" security label to unlabeled
|
|
Packit |
51d0f7 |
packets entering the system over any interface with an IPv4 source address in
|
|
Packit |
51d0f7 |
the 192.168.0.0/16 network.
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.SH "NOTES"
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.P
|
|
Packit |
51d0f7 |
The NetLabel subsystem is supported on Linux Kernels version 2.6.19 and later.
|
|
Packit |
51d0f7 |
The static, or fallback, labels are only supported on Linux Kernels version
|
|
Packit |
51d0f7 |
2.6.25 and later. The domain mapping address selectors are only supported on
|
|
Packit |
51d0f7 |
Linux Kernels 2.6.28 and later and CALIPSO/RFC5570 is only supported on Linux
|
|
Packit |
51d0f7 |
Kernels 4.8.0 and later.
|
|
Packit |
51d0f7 |
.P
|
|
Packit |
51d0f7 |
The NetLabel project site, with more information including the source code
|
|
Packit |
51d0f7 |
repository, can be found at https://github.com/netlabel. Please report any
|
|
Packit |
51d0f7 |
bugs at the project site or directly to the author.
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.SH "AUTHOR"
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
Paul Moore <paul@paul-moore.com>
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.SH "SEE ALSO"
|
|
Packit |
51d0f7 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
51d0f7 |
.BR netlabel-config (8)
|