|
Packit |
51d0f7 |
#!/bin/bash
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
#
|
|
Packit |
51d0f7 |
# NetLabel configuration helper script
|
|
Packit |
51d0f7 |
# http://netlabel.sf.net
|
|
Packit |
51d0f7 |
#
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
#
|
|
Packit |
51d0f7 |
# Configuration file:
|
|
Packit |
51d0f7 |
# /etc/netlabel.rules
|
|
Packit |
51d0f7 |
#
|
|
Packit |
51d0f7 |
# Return values:
|
|
Packit |
51d0f7 |
# 0 - success
|
|
Packit |
51d0f7 |
# 1 - generic or unspecified error
|
|
Packit |
51d0f7 |
# 2 - invalid or excess argument(s)
|
|
Packit |
51d0f7 |
# 3 - unimplemented feature (e.g. "reload")
|
|
Packit |
51d0f7 |
# 4 - insufficient privilege
|
|
Packit |
51d0f7 |
# 5 - program is not installed
|
|
Packit |
51d0f7 |
# 6 - program is not configured
|
|
Packit |
51d0f7 |
# 7 - program is not running
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# set the PATH
|
|
Packit |
51d0f7 |
PATH="/sbin:/bin:/usr/sbin:/usr/bin"
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# core configuration
|
|
Packit |
51d0f7 |
CFG_FILE="/etc/netlabel.rules"
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
####
|
|
Packit |
51d0f7 |
# functions
|
|
Packit |
51d0f7 |
#
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# clear/reset the unlabeled traffic configuration
|
|
Packit |
51d0f7 |
function nlbl_reset_unlbl() {
|
|
Packit |
51d0f7 |
# remove the static/fallback labels
|
|
Packit |
51d0f7 |
local list=$(netlabelctl unlbl list)
|
|
Packit |
51d0f7 |
for i in $list; do
|
|
Packit |
51d0f7 |
[[ "$(echo $i | cut -d':' -f 1)" == "accept" ]] && continue
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
local iface=$(echo $i | cut -d',' -f 1 | cut -d':' -f 2)
|
|
Packit |
51d0f7 |
local addr=$(echo $i | cut -d',' -f 2 | cut -d':' -f 2)
|
|
Packit |
51d0f7 |
if [[ "$iface" == "DEFAULT" ]]; then
|
|
Packit |
51d0f7 |
netlabelctl unlbl del default address:$addr
|
|
Packit |
51d0f7 |
else
|
|
Packit |
51d0f7 |
netlabelctl unlbl del interface:$iface address:$addr
|
|
Packit |
51d0f7 |
fi
|
|
Packit |
51d0f7 |
done
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# reset the unlabeled traffic handling
|
|
Packit |
51d0f7 |
# NOTE: only turn this off if you _really_ know what you are doing
|
|
Packit |
51d0f7 |
netlabelctl unlbl accept on
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
return 0
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# clear/reset the CIPSO DOIs
|
|
Packit |
51d0f7 |
function nlbl_reset_cipso() {
|
|
Packit |
51d0f7 |
# NOTE: make sure there are no mappings left which use these DOIs else
|
|
Packit |
51d0f7 |
# you will run into errors if the DOI is currently in use
|
|
Packit |
51d0f7 |
local list=$(netlabelctl cipso list)
|
|
Packit |
51d0f7 |
for i in $list; do
|
|
Packit |
51d0f7 |
local doi=$(echo $i | cut -d',' -f 1)
|
|
Packit |
51d0f7 |
netlabelctl cipso del doi:$doi
|
|
Packit |
51d0f7 |
done
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
return 0
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# clear/reset the CALIPSO DOIs
|
|
Packit |
51d0f7 |
function nlbl_reset_calipso() {
|
|
Packit |
51d0f7 |
# NOTE: make sure there are no mappings left which use these DOIs else
|
|
Packit |
51d0f7 |
# you will run into errors if the DOI is currently in use
|
|
Packit |
51d0f7 |
local list=$(netlabelctl calipso list)
|
|
Packit |
51d0f7 |
for i in $list; do
|
|
Packit |
51d0f7 |
local doi=$(echo $i | cut -d',' -f 1)
|
|
Packit |
51d0f7 |
netlabelctl calipso del doi:$doi
|
|
Packit |
51d0f7 |
done
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
return 0
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# clear/reset the NetLabel outbound traffic mapping
|
|
Packit |
51d0f7 |
function nlbl_reset_map() {
|
|
Packit |
51d0f7 |
# remove the existing mapping domains
|
|
Packit |
51d0f7 |
local list=$(netlabelctl map list)
|
|
Packit |
51d0f7 |
for i in $list; do
|
|
Packit |
51d0f7 |
local dmn=$(echo $i | cut -d':' -f 2 | cut -d',' -f 1)
|
|
Packit |
51d0f7 |
if [[ "$dmn" == "DEFAULT" ]]; then
|
|
Packit |
51d0f7 |
netlabelctl map del default
|
|
Packit |
51d0f7 |
else
|
|
Packit |
51d0f7 |
netlabelctl map del domain:${dmn//\"/}
|
|
Packit |
51d0f7 |
fi
|
|
Packit |
51d0f7 |
done
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# allow the kernel to settle
|
|
Packit |
51d0f7 |
# XXX: this is awkward but necessary as of early 2013
|
|
Packit |
51d0f7 |
sleep 1
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# reset the default mapping
|
|
Packit |
51d0f7 |
netlabelctl map add default protocol:unlbl
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
return 0
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# clear/reset the NetLabel configuration
|
|
Packit |
51d0f7 |
function nlbl_reset() {
|
|
Packit |
51d0f7 |
# NOTE: ordering is important here, see nlbl_reset_cipso() for details
|
|
Packit |
51d0f7 |
nlbl_reset_map
|
|
Packit |
51d0f7 |
nlbl_reset_cipso
|
|
Packit |
51d0f7 |
nlbl_reset_calipso
|
|
Packit |
51d0f7 |
nlbl_reset_unlbl
|
|
Packit |
51d0f7 |
return 0
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# load the NetLabel configuration from the configuration file
|
|
Packit |
51d0f7 |
function nlbl_load() {
|
|
Packit |
51d0f7 |
local ret_rc=0
|
|
Packit |
51d0f7 |
local line
|
|
Packit |
51d0f7 |
while read line; do
|
|
Packit |
51d0f7 |
# skip comments and blank lines
|
|
Packit |
51d0f7 |
echo "$line" | egrep '^#|^$' >& /dev/null && continue
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# perform the configuration
|
|
Packit |
51d0f7 |
netlabelctl $line >& /dev/null
|
|
Packit |
51d0f7 |
rc=$?
|
|
Packit |
51d0f7 |
[[ $rc -ne 0 ]] && ret_rc=1
|
|
Packit |
51d0f7 |
done < "$CFG_FILE"
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
return $ret_rc
|
|
Packit |
51d0f7 |
}
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
####
|
|
Packit |
51d0f7 |
# main
|
|
Packit |
51d0f7 |
#
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
rc=0
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# sanity checks
|
|
Packit |
51d0f7 |
[[ "$(id -u)" == "0" ]] || exit 4
|
|
Packit |
51d0f7 |
which netlabelctl >& /dev/null || exit 5
|
|
Packit |
51d0f7 |
[[ -r "$CFG_FILE" ]] || exit 6
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# operation
|
|
Packit |
51d0f7 |
case "$1" in
|
|
Packit |
51d0f7 |
load)
|
|
Packit |
51d0f7 |
nlbl_load
|
|
Packit |
51d0f7 |
rc=$?
|
|
Packit |
51d0f7 |
;;
|
|
Packit |
51d0f7 |
reset)
|
|
Packit |
51d0f7 |
nlbl_reset
|
|
Packit |
51d0f7 |
rc=$?
|
|
Packit |
51d0f7 |
;;
|
|
Packit |
51d0f7 |
*)
|
|
Packit |
51d0f7 |
# unknown/unimplemented operation
|
|
Packit |
51d0f7 |
rc=3
|
|
Packit |
51d0f7 |
;;
|
|
Packit |
51d0f7 |
esac
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
exit $rc
|