1Network Labeling Statements 2=========================== 3 4ipaddr 5------ 6 7Declares a named IP address in IPv4 or IPv6 format that may be referenced by other CIL statements (i.e. [`netifcon`](cil_network_labeling_statements.md#netifcon)). 8 9Notes: 10 11- CIL statements utilising an IP address may reference a named IP address or use an anonymous address, the examples will show each option. 12 13- IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`. 14 15**Statement definition:** 16 17```secil 18 (ipaddr ipaddr_id ip_address) 19``` 20 21**Where:** 22 23<table> 24<colgroup> 25<col width="25%" /> 26<col width="75%" /> 27</colgroup> 28<tbody> 29<tr class="odd"> 30<td align="left"><p><code>ipaddr</code></p></td> 31<td align="left"><p>The <code>ipaddr</code> keyword.</p></td> 32</tr> 33<tr class="even"> 34<td align="left"><p><code>ipaddr_id</code></p></td> 35<td align="left"><p>The IP address identifier.</p></td> 36</tr> 37<tr class="odd"> 38<td align="left"><p><code>ip_address</code></p></td> 39<td align="left"><p>A correctly formatted IP address in IPv4 or IPv6 format.</p></td> 40</tr> 41</tbody> 42</table> 43 44**Example:** 45 46This example declares a named IP address and also passes an 'explicit anonymously declared' IP address to a macro: 47 48```secil 49 (ipaddr netmask_1 255.255.255.0) 50 (context netlabel_1 (system.user object_r unconfined.object low_low)) 51 52 (call build_nodecon ((192.168.1.64) netmask_1)) 53 54 (macro build_nodecon ((ipaddr ARG1) (ipaddr ARG2)) 55 (nodecon ARG1 ARG2 netlabel_1)) 56``` 57 58netifcon 59-------- 60 61Label network interface objects (e.g. `eth0`). 62 63**Statement definition:** 64 65```secil 66 (netifcon netif_name netif_context_id packet_context_id) 67``` 68 69**Where:** 70 71<table> 72<colgroup> 73<col width="25%" /> 74<col width="75%" /> 75</colgroup> 76<tbody> 77<tr class="odd"> 78<td align="left"><p><code>netifcon</code></p></td> 79<td align="left"><p>The <code>netifcon</code> keyword.</p></td> 80</tr> 81<tr class="even"> 82<td align="left"><p><code>netif_name</code></p></td> 83<td align="left"><p>The network interface name (e.g. <code>wlan0</code>).</p></td> 84</tr> 85<tr class="odd"> 86<td align="left"><p><code>netif_context_id</code></p></td> 87<td align="left"><p>The security context to be allocated to the network interface.</p> 88<p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 89</tr> 90<tr class="even"> 91<td align="left"><p><code>packet_context_id</code></p></td> 92<td align="left"><p>The security context to be allocated to packets. Note that these are defined but currently unused as the <strong><code>iptables</code></strong><code>(8)</code> SECMARK services should be used to label packets.</p> 93<p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 94</tr> 95</tbody> 96</table> 97 98**Examples:** 99 100These examples show named and anonymous [`netifcon`](cil_network_labeling_statements.md#netifcon) statements: 101 102```secil 103 (context context_1 (unconfined.user object_r unconfined.object low_low)) 104 (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2))) 105 106 (netifcon eth0 context_1 (unconfined.user object_r unconfined.object levelrange_1)) 107 (netifcon eth1 context_1 (unconfined.user object_r unconfined.object ((s0) level_1))) 108 (netifcon eth3 context_1 context_2) 109``` 110 111nodecon 112------- 113 114Label network address objects that represent IPv4 or IPv6 IP addresses and network masks. 115 116IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`. 117 118**Statement definition:** 119 120```secil 121 (nodecon subnet_id netmask_id context_id) 122``` 123 124**Where:** 125 126<table> 127<colgroup> 128<col width="25%" /> 129<col width="75%" /> 130</colgroup> 131<tbody> 132<tr class="odd"> 133<td align="left"><p><code>nodecon</code></p></td> 134<td align="left"><p>The <code>nodecon</code> keyword.</p></td> 135</tr> 136<tr class="even"> 137<td align="left"><p><code>subnet_id</code></p></td> 138<td align="left"><p>A previously declared <code>ipaddr</code> identifier, or an anonymous IPv4 or IPv6 formatted address.</p></td> 139</tr> 140<tr class="odd"> 141<td align="left"><p><code>netmask_id</code></p></td> 142<td align="left"><p>A previously declared <code>ipaddr</code> identifier, or an anonymous IPv4 or IPv6 formatted address.</p></td> 143</tr> 144<tr class="even"> 145<td align="left"><p><code>context_id</code></p></td> 146<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 147</tr> 148</tbody> 149</table> 150 151**Examples:** 152 153These examples show named and anonymous [`nodecon`](cil_network_labeling_statements.md#nodecon) statements: 154 155```secil 156 (context context_1 (unconfined.user object_r unconfined.object low_low)) 157 (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2))) 158 159 (ipaddr netmask_1 255.255.255.255) 160 (ipaddr ipv4_1 192.0.2.64) 161 162 (nodecon ipv4_1 netmask_1 context_2) 163 (nodecon (192.0.2.64) (255.255.255.255) context_1) 164 (nodecon (192.0.2.64) netmask_1 (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) 165 166 (context context_3 (sys.id sys.role my48prefix.node ((s0)(s0)))) 167 168 (ipaddr netmask_2 ffff:ffff:ffff:0:0:0:0:0) 169 (ipaddr ipv6_2 2001:db8:1:0:0:0:0:0) 170 171 (nodecon ipv6_2 netmask_2 context_3) 172 (nodecon (2001:db8:1:0:0:0:0:0) (ffff:ffff:ffff:0:0:0:0:0) context_3) 173 (nodecon (2001:db8:1:0:0:0:0:0) netmask_2 (sys.id sys.role my48prefix.node ((s0)(s0)))) 174``` 175 176portcon 177------- 178 179Label a udp, tcp, dccp or sctp port. 180 181**Statement definition:** 182 183```secil 184 (portcon protocol port|(port_low port_high) context_id) 185``` 186 187**Where:** 188 189<table> 190<colgroup> 191<col width="25%" /> 192<col width="75%" /> 193</colgroup> 194<tbody> 195<tr class="odd"> 196<td align="left"><p><code>portcon</code></p></td> 197<td align="left"><p>The <code>portcon</code> keyword.</p></td> 198</tr> 199<tr class="even"> 200<td align="left"><p><code>protocol</code></p></td> 201<td align="left"><p>The protocol keyword <code>tcp</code>, <code>udp</code>, <code>dccp</code> or <code>sctp</code>.</p></td> 202</tr> 203<tr class="odd"> 204<td align="left"><p><code>port |</code></p> 205<p><code>(port_low port_high)</code></p></td> 206<td align="left"><p>A single port to apply the context, or a range of ports.</p> 207<p>The entries must consist of numerics <code>[0-9]</code>.</p></td> 208</tr> 209<tr class="even"> 210<td align="left"><p><code>context_id</code></p></td> 211<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 212</tr> 213</tbody> 214</table> 215 216**Examples:** 217 218These examples show named and anonymous [`portcon`](cil_network_labeling_statements.md#portcon) statements: 219 220```secil 221 (portcon tcp 1111 (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) 222 (portcon tcp 2222 (unconfined.user object_r unconfined.object levelrange_2)) 223 (portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1)) 224 (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2))) 225 (portcon tcp (2000 20000) (unconfined.user object_r unconfined.object (systemlow level_3))) 226 (portcon dccp (6840 6880) (unconfined.user object_r unconfined.object ((s0) level_2))) 227 (portcon sctp (1024 1035) (unconfined.user object_r unconfined.object ((s0) level_2))) 228``` 229