• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Network Labeling Statements
2===========================
3
4ipaddr
5------
6
7Declares a named IP address in IPv4 or IPv6 format that may be referenced by other CIL statements (i.e. [`netifcon`](cil_network_labeling_statements.md#netifcon)).
8
9Notes:
10
11-   CIL statements utilising an IP address may reference a named IP address or use an anonymous address, the examples will show each option.
12
13-   IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`.
14
15**Statement definition:**
16
17    (ipaddr ipaddr_id ip_address)
18
19**Where:**
20
21<table>
22<colgroup>
23<col width="25%" />
24<col width="75%" />
25</colgroup>
26<tbody>
27<tr class="odd">
28<td align="left"><p><code>ipaddr</code></p></td>
29<td align="left"><p>The <code>ipaddr</code> keyword.</p></td>
30</tr>
31<tr class="even">
32<td align="left"><p><code>ipaddr_id</code></p></td>
33<td align="left"><p>The IP address identifier.</p></td>
34</tr>
35<tr class="odd">
36<td align="left"><p><code>ip_address</code></p></td>
37<td align="left"><p>A correctly formatted IP address in IPv4 or IPv6 format.</p></td>
38</tr>
39</tbody>
40</table>
41
42**Example:**
43
44This example declares a named IP address and also passes an 'explicit anonymously declared' IP address to a macro:
45
46    (ipaddr netmask_1 255.255.255.0)
47    (context netlabel_1 (system.user object_r unconfined.object low_low)
48
49    (call build_nodecon ((192.168.1.64) netmask_1))
50
51    (macro build_nodecon ((ipaddr ARG1) (ipaddr ARG2))
52        (nodecon ARG1 ARG2  netlabel_1))
53
54netifcon
55--------
56
57Label network interface objects (e.g. `eth0`).
58
59**Statement definition:**
60
61    (netifcon netif_name netif_context_id packet_context_id)
62
63**Where:**
64
65<table>
66<colgroup>
67<col width="25%" />
68<col width="75%" />
69</colgroup>
70<tbody>
71<tr class="odd">
72<td align="left"><p><code>netifcon</code></p></td>
73<td align="left"><p>The <code>netifcon</code> keyword.</p></td>
74</tr>
75<tr class="even">
76<td align="left"><p><code>netif_name</code></p></td>
77<td align="left"><p>The network interface name (e.g. <code>wlan0</code>).</p></td>
78</tr>
79<tr class="odd">
80<td align="left"><p><code>netif_context_id</code></p></td>
81<td align="left"><p>The security context to be allocated to the network interface.</p>
82<p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
83</tr>
84<tr class="even">
85<td align="left"><p><code>packet_context_id</code></p></td>
86<td align="left"><p>The security context to be allocated to packets. Note that these are defined but currently unused as the <strong><code>iptables</code></strong><code>(8)</code> SECMARK services should be used to label packets.</p>
87<p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
88</tr>
89</tbody>
90</table>
91
92**Examples:**
93
94These examples show named and anonymous [`netifcon`](cil_network_labeling_statements.md#netifcon) statements:
95
96    (context context_1 (unconfined.user object_r unconfined.object low_low))
97    (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2)))
98
99    (netifcon eth0 context_1 (unconfined.user object_r unconfined.object levelrange_1))
100    (netifcon eth1 context_1 (unconfined.user object_r unconfined.object ((s0) level_1)))
101    (netifcon eth3 context_1 context_2)
102
103nodecon
104-------
105
106Label network address objects that represent IPv4 or IPv6 IP addresses and network masks.
107
108IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`.
109
110**Statement definition:**
111
112    (nodecon subnet_id netmask_id context_id)
113
114**Where:**
115
116<table>
117<colgroup>
118<col width="25%" />
119<col width="75%" />
120</colgroup>
121<tbody>
122<tr class="odd">
123<td align="left"><p><code>nodecon</code></p></td>
124<td align="left"><p>The <code>nodecon</code> keyword.</p></td>
125</tr>
126<tr class="even">
127<td align="left"><p><code>subnet_id</code></p></td>
128<td align="left"><p>A previously declared <code>ipaddr</code> identifier, or an anonymous IPv4 or IPv6 formatted address.</p></td>
129</tr>
130<tr class="odd">
131<td align="left"><p><code>netmask_id</code></p></td>
132<td align="left"><p>A previously declared <code>ipaddr</code> identifier, or an anonymous IPv4 or IPv6 formatted address.</p></td>
133</tr>
134<tr class="even">
135<td align="left"><p><code>context_id</code></p></td>
136<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
137</tr>
138</tbody>
139</table>
140
141**Examples:**
142
143These examples show named and anonymous [`nodecon`](cil_network_labeling_statements.md#nodecon) statements:
144
145    (context context_1 (unconfined.user object_r unconfined.object low_low))
146    (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2)))
147
148    (ipaddr netmask_1 255.255.255.0)
149    (ipaddr ipv4_1 192.168.1.64)
150
151    (nodecon netmask_1 ipv4_1 context_2)
152    (nodecon (255.255.255.0) (192.168.1.64) context_1)
153    (nodecon netmask_1 (192.168.1.64) (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))
154
155portcon
156-------
157
158Label a udp or tcp port.
159
160**Statement definition:**
161
162    (portcon protocol port|(port_low port_high) context_id)
163
164**Where:**
165
166<table>
167<colgroup>
168<col width="25%" />
169<col width="75%" />
170</colgroup>
171<tbody>
172<tr class="odd">
173<td align="left"><p><code>portcon</code></p></td>
174<td align="left"><p>The <code>portcon</code> keyword.</p></td>
175</tr>
176<tr class="even">
177<td align="left"><p><code>protocol</code></p></td>
178<td align="left"><p>The protocol keyword <code>tcp</code> or <code>udp</code>.</p></td>
179</tr>
180<tr class="odd">
181<td align="left"><p><code>port |</code></p>
182<p><code>(port_low port_high)</code></p></td>
183<td align="left"><p>A single port to apply the context, or a range of ports.</p>
184<p>The entries must consist of numerics <code>[0-9]</code>.</p></td>
185</tr>
186<tr class="even">
187<td align="left"><p><code>context_id</code></p></td>
188<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
189</tr>
190</tbody>
191</table>
192
193**Examples:**
194
195These examples show named and anonymous [`portcon`](cil_network_labeling_statements.md#portcon) statements:
196
197    (portcon tcp 1111 (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))
198    (portcon tcp 2222 (unconfined.user object_r unconfined.object levelrange_2))
199    (portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
200    (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
201    (portcon tcp (2000 20000) (unconfined.user object_r unconfined.object (systemlow level_3)))
202