#!/bin/bash
#
# NetLabel configuration helper script
# http://netlabel.sf.net
#
#
# Configuration file:
# /etc/netlabel.rules
#
# Return values:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
# set the PATH
PATH="/sbin:/bin:/usr/sbin:/usr/bin"
# core configuration
CFG_FILE="/etc/netlabel.rules"
####
# functions
#
# clear/reset the unlabeled traffic configuration
function nlbl_reset_unlbl() {
# remove the static/fallback labels
local list=$(netlabelctl unlbl list)
for i in $list; do
[[ "$(echo $i | cut -d':' -f 1)" == "accept" ]] && continue
local iface=$(echo $i | cut -d',' -f 1 | cut -d':' -f 2)
local addr=$(echo $i | cut -d',' -f 2 | cut -d':' -f 2)
if [[ "$iface" == "DEFAULT" ]]; then
netlabelctl unlbl del default address:$addr
else
netlabelctl unlbl del interface:$iface address:$addr
fi
done
# reset the unlabeled traffic handling
# NOTE: only turn this off if you _really_ know what you are doing
netlabelctl unlbl accept on
return 0
}
# clear/reset the CIPSO DOIs
function nlbl_reset_cipso() {
# NOTE: make sure there are no mappings left which use these DOIs else
# you will run into errors if the DOI is currently in use
local list=$(netlabelctl cipso list)
for i in $list; do
local doi=$(echo $i | cut -d',' -f 1)
netlabelctl cipso del doi:$doi
done
return 0
}
# clear/reset the CALIPSO DOIs
function nlbl_reset_calipso() {
# NOTE: make sure there are no mappings left which use these DOIs else
# you will run into errors if the DOI is currently in use
local list=$(netlabelctl calipso list)
for i in $list; do
local doi=$(echo $i | cut -d',' -f 1)
netlabelctl calipso del doi:$doi
done
return 0
}
# clear/reset the NetLabel outbound traffic mapping
function nlbl_reset_map() {
# remove the existing mapping domains
local list=$(netlabelctl map list)
for i in $list; do
local dmn=$(echo $i | cut -d':' -f 2 | cut -d',' -f 1)
if [[ "$dmn" == "DEFAULT" ]]; then
netlabelctl map del default
else
netlabelctl map del domain:${dmn//\"/}
fi
done
# allow the kernel to settle
# XXX: this is awkward but necessary as of early 2013
sleep 1
# reset the default mapping
netlabelctl map add default protocol:unlbl
return 0
}
# clear/reset the NetLabel configuration
function nlbl_reset() {
# NOTE: ordering is important here, see nlbl_reset_cipso() for details
nlbl_reset_map
nlbl_reset_cipso
nlbl_reset_calipso
nlbl_reset_unlbl
return 0
}
# load the NetLabel configuration from the configuration file
function nlbl_load() {
local ret_rc=0
local line
while read line; do
# skip comments and blank lines
echo "$line" | egrep '^#|^$' >& /dev/null && continue
# perform the configuration
netlabelctl $line >& /dev/null
rc=$?
[[ $rc -ne 0 ]] && ret_rc=1
done < "$CFG_FILE"
return $ret_rc
}
####
# main
#
rc=0
# sanity checks
[[ "$(id -u)" == "0" ]] || exit 4
which netlabelctl >& /dev/null || exit 5
[[ -r "$CFG_FILE" ]] || exit 6
# operation
case "$1" in
load)
nlbl_load
rc=$?
;;
reset)
nlbl_reset
rc=$?
;;
*)
# unknown/unimplemented operation
rc=3
;;
esac
exit $rc