source-git / netlabel_tools

Clone
Source Code
GIT

Blame netlabelctl/netlabel-config

c8 master
  1.   82e8b8573d17333cd8b6bfe0db1c1ada9cacb921
  2.   netlabelctl
  3.   netlabel-config
Blob History Raw
Packit 51d0f7 
#!/bin/bash
Packit 51d0f7
Packit 51d0f7 
#
Packit 51d0f7 
# NetLabel configuration helper script
Packit 51d0f7 
# http://netlabel.sf.net
Packit 51d0f7 
#
Packit 51d0f7
Packit 51d0f7 
#
Packit 51d0f7 
# Configuration file:
Packit 51d0f7 
#  /etc/netlabel.rules
Packit 51d0f7 
#
Packit 51d0f7 
# Return values:
Packit 51d0f7 
#  0 - success
Packit 51d0f7 
#  1 - generic or unspecified error
Packit 51d0f7 
#  2 - invalid or excess argument(s)
Packit 51d0f7 
#  3 - unimplemented feature (e.g. "reload")
Packit 51d0f7 
#  4 - insufficient privilege
Packit 51d0f7 
#  5 - program is not installed
Packit 51d0f7 
#  6 - program is not configured
Packit 51d0f7 
#  7 - program is not running
Packit 51d0f7
Packit 51d0f7 
# set the PATH
Packit 51d0f7 
PATH="/sbin:/bin:/usr/sbin:/usr/bin"
Packit 51d0f7
Packit 51d0f7 
# core configuration
Packit 51d0f7 
CFG_FILE="/etc/netlabel.rules"
Packit 51d0f7
Packit 51d0f7 
####
Packit 51d0f7 
# functions
Packit 51d0f7 
#
Packit 51d0f7
Packit 51d0f7 
# clear/reset the unlabeled traffic configuration
Packit 51d0f7 
function nlbl_reset_unlbl() {
Packit 51d0f7 
	# remove the static/fallback labels
Packit 51d0f7 
	local list=$(netlabelctl unlbl list)
Packit 51d0f7 
	for i in $list; do
Packit 51d0f7 
		[[ "$(echo $i | cut -d':' -f 1)" == "accept" ]] && continue
Packit 51d0f7
Packit 51d0f7 
		local iface=$(echo $i | cut -d',' -f 1 | cut -d':' -f 2)
Packit 51d0f7 
		local addr=$(echo $i | cut -d',' -f 2 | cut -d':' -f 2)
Packit 51d0f7 
		if [[ "$iface" == "DEFAULT" ]]; then
Packit 51d0f7 
			netlabelctl unlbl del default address:$addr
Packit 51d0f7 
		else
Packit 51d0f7 
			netlabelctl unlbl del interface:$iface address:$addr
Packit 51d0f7 
		fi
Packit 51d0f7 
	done
Packit 51d0f7
Packit 51d0f7 
	# reset the unlabeled traffic handling
Packit 51d0f7 
	# NOTE: only turn this off if you _really_ know what you are doing
Packit 51d0f7 
	netlabelctl unlbl accept on
Packit 51d0f7
Packit 51d0f7 
	return 0
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
# clear/reset the CIPSO DOIs
Packit 51d0f7 
function nlbl_reset_cipso() {
Packit 51d0f7 
	# NOTE: make sure there are no mappings left which use these DOIs else
Packit 51d0f7 
	#       you will run into errors if the DOI is currently in use
Packit 51d0f7 
	local list=$(netlabelctl cipso list)
Packit 51d0f7 
	for i in $list; do
Packit 51d0f7 
		local doi=$(echo $i | cut -d',' -f 1)
Packit 51d0f7 
		netlabelctl cipso del doi:$doi
Packit 51d0f7 
	done
Packit 51d0f7
Packit 51d0f7 
	return 0
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
# clear/reset the CALIPSO DOIs
Packit 51d0f7 
function nlbl_reset_calipso() {
Packit 51d0f7 
	# NOTE: make sure there are no mappings left which use these DOIs else
Packit 51d0f7 
	#       you will run into errors if the DOI is currently in use
Packit 51d0f7 
	local list=$(netlabelctl calipso list)
Packit 51d0f7 
	for i in $list; do
Packit 51d0f7 
		local doi=$(echo $i | cut -d',' -f 1)
Packit 51d0f7 
		netlabelctl calipso del doi:$doi
Packit 51d0f7 
	done
Packit 51d0f7
Packit 51d0f7 
	return 0
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
# clear/reset the NetLabel outbound traffic mapping
Packit 51d0f7 
function nlbl_reset_map() {
Packit 51d0f7 
	# remove the existing mapping domains
Packit 51d0f7 
	local list=$(netlabelctl map list)
Packit 51d0f7 
	for i in $list; do
Packit 51d0f7 
		local dmn=$(echo $i | cut -d':' -f 2 | cut -d',' -f 1)
Packit 51d0f7 
		if [[ "$dmn" == "DEFAULT" ]]; then
Packit 51d0f7 
			netlabelctl map del default
Packit 51d0f7 
		else
Packit 51d0f7 
			netlabelctl map del domain:${dmn//\"/}
Packit 51d0f7 
		fi
Packit 51d0f7 
	done
Packit 51d0f7
Packit 51d0f7 
	# allow the kernel to settle
Packit 51d0f7 
	# XXX: this is awkward but necessary as of early 2013
Packit 51d0f7 
	sleep 1
Packit 51d0f7
Packit 51d0f7 
	# reset the default mapping
Packit 51d0f7 
	netlabelctl map add default protocol:unlbl
Packit 51d0f7
Packit 51d0f7 
	return 0
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
# clear/reset the NetLabel configuration
Packit 51d0f7 
function nlbl_reset() {
Packit 51d0f7 
	# NOTE: ordering is important here, see nlbl_reset_cipso() for details
Packit 51d0f7 
	nlbl_reset_map
Packit 51d0f7 
	nlbl_reset_cipso
Packit 51d0f7 
	nlbl_reset_calipso
Packit 51d0f7 
	nlbl_reset_unlbl
Packit 51d0f7 
	return 0
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
# load the NetLabel configuration from the configuration file
Packit 51d0f7 
function nlbl_load() {
Packit 51d0f7 
	local ret_rc=0
Packit 51d0f7 
	local line
Packit 51d0f7 
	while read line; do
Packit 51d0f7 
		# skip comments and blank lines
Packit 51d0f7 
		echo "$line" | egrep '^#|^$' >& /dev/null && continue
Packit 51d0f7
Packit 51d0f7 
		# perform the configuration
Packit 51d0f7 
		netlabelctl $line >& /dev/null
Packit 51d0f7 
		rc=$?
Packit 51d0f7 
		[[ $rc -ne 0 ]] && ret_rc=1
Packit 51d0f7 
	done < "$CFG_FILE"
Packit 51d0f7
Packit 51d0f7 
	return $ret_rc
Packit 51d0f7 
}
Packit 51d0f7
Packit 51d0f7 
####
Packit 51d0f7 
# main
Packit 51d0f7 
#
Packit 51d0f7
Packit 51d0f7 
rc=0
Packit 51d0f7
Packit 51d0f7 
# sanity checks
Packit 51d0f7 
[[ "$(id -u)" == "0" ]] || exit 4
Packit 51d0f7 
which netlabelctl >& /dev/null || exit 5
Packit 51d0f7 
[[ -r "$CFG_FILE" ]] || exit 6
Packit 51d0f7
Packit 51d0f7 
# operation
Packit 51d0f7 
case "$1" in
Packit 51d0f7 
load)
Packit 51d0f7 
	nlbl_load
Packit 51d0f7 
	rc=$?
Packit 51d0f7 
	;;
Packit 51d0f7 
reset)
Packit 51d0f7 
	nlbl_reset
Packit 51d0f7 
	rc=$?
Packit 51d0f7 
	;;
Packit 51d0f7 
*)
Packit 51d0f7 
	# unknown/unimplemented operation
Packit 51d0f7 
	rc=3
Packit 51d0f7 
	;;
Packit 51d0f7 
esac
Packit 51d0f7
Packit 51d0f7 
exit $rc

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation