1Network Labeling Statements 2=========================== 3 4ipaddr 5------ 6 7Declares a named IP address in IPv4 or IPv6 format that may be referenced by other CIL statements (i.e. [`netifcon`](cil_network_labeling_statements.md#netifcon)). 8 9Notes: 10 11- CIL statements utilising an IP address may reference a named IP address or use an anonymous address, the examples will show each option. 12 13- IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`. 14 15**Statement definition:** 16 17 (ipaddr ipaddr_id ip_address) 18 19**Where:** 20 21<table> 22<colgroup> 23<col width="25%" /> 24<col width="75%" /> 25</colgroup> 26<tbody> 27<tr class="odd"> 28<td align="left"><p><code>ipaddr</code></p></td> 29<td align="left"><p>The <code>ipaddr</code> keyword.</p></td> 30</tr> 31<tr class="even"> 32<td align="left"><p><code>ipaddr_id</code></p></td> 33<td align="left"><p>The IP address identifier.</p></td> 34</tr> 35<tr class="odd"> 36<td align="left"><p><code>ip_address</code></p></td> 37<td align="left"><p>A correctly formatted IP address in IPv4 or IPv6 format.</p></td> 38</tr> 39</tbody> 40</table> 41 42**Example:** 43 44This example declares a named IP address and also passes an 'explicit anonymously declared' IP address to a macro: 45 46 (ipaddr netmask_1 255.255.255.0) 47 (context netlabel_1 (system.user object_r unconfined.object low_low) 48 49 (call build_nodecon ((192.168.1.64) netmask_1)) 50 51 (macro build_nodecon ((ipaddr ARG1) (ipaddr ARG2)) 52 (nodecon ARG1 ARG2 netlabel_1)) 53 54netifcon 55-------- 56 57Label network interface objects (e.g. `eth0`). 58 59**Statement definition:** 60 61 (netifcon netif_name netif_context_id packet_context_id) 62 63**Where:** 64 65<table> 66<colgroup> 67<col width="25%" /> 68<col width="75%" /> 69</colgroup> 70<tbody> 71<tr class="odd"> 72<td align="left"><p><code>netifcon</code></p></td> 73<td align="left"><p>The <code>netifcon</code> keyword.</p></td> 74</tr> 75<tr class="even"> 76<td align="left"><p><code>netif_name</code></p></td> 77<td align="left"><p>The network interface name (e.g. <code>wlan0</code>).</p></td> 78</tr> 79<tr class="odd"> 80<td align="left"><p><code>netif_context_id</code></p></td> 81<td align="left"><p>The security context to be allocated to the network interface.</p> 82<p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 83</tr> 84<tr class="even"> 85<td align="left"><p><code>packet_context_id</code></p></td> 86<td align="left"><p>The security context to be allocated to packets. Note that these are defined but currently unused as the <strong><code>iptables</code></strong><code>(8)</code> SECMARK services should be used to label packets.</p> 87<p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 88</tr> 89</tbody> 90</table> 91 92**Examples:** 93 94These examples show named and anonymous [`netifcon`](cil_network_labeling_statements.md#netifcon) statements: 95 96 (context context_1 (unconfined.user object_r unconfined.object low_low)) 97 (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2))) 98 99 (netifcon eth0 context_1 (unconfined.user object_r unconfined.object levelrange_1)) 100 (netifcon eth1 context_1 (unconfined.user object_r unconfined.object ((s0) level_1))) 101 (netifcon eth3 context_1 context_2) 102 103nodecon 104------- 105 106Label network address objects that represent IPv4 or IPv6 IP addresses and network masks. 107 108IP Addresses may be declared without a previous declaration by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`. 109 110**Statement definition:** 111 112 (nodecon subnet_id netmask_id context_id) 113 114**Where:** 115 116<table> 117<colgroup> 118<col width="25%" /> 119<col width="75%" /> 120</colgroup> 121<tbody> 122<tr class="odd"> 123<td align="left"><p><code>nodecon</code></p></td> 124<td align="left"><p>The <code>nodecon</code> keyword.</p></td> 125</tr> 126<tr class="even"> 127<td align="left"><p><code>subnet_id</code></p></td> 128<td align="left"><p>A previously declared <code>ipaddr</code> identifier, or an anonymous IPv4 or IPv6 formatted address.</p></td> 129</tr> 130<tr class="odd"> 131<td align="left"><p><code>netmask_id</code></p></td> 132<td align="left"><p>A previously declared <code>ipaddr</code> identifier, or an anonymous IPv4 or IPv6 formatted address.</p></td> 133</tr> 134<tr class="even"> 135<td align="left"><p><code>context_id</code></p></td> 136<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 137</tr> 138</tbody> 139</table> 140 141**Examples:** 142 143These examples show named and anonymous [`nodecon`](cil_network_labeling_statements.md#nodecon) statements: 144 145 (context context_1 (unconfined.user object_r unconfined.object low_low)) 146 (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2))) 147 148 (ipaddr netmask_1 255.255.255.0) 149 (ipaddr ipv4_1 192.168.1.64) 150 151 (nodecon netmask_1 ipv4_1 context_2) 152 (nodecon (255.255.255.0) (192.168.1.64) context_1) 153 (nodecon netmask_1 (192.168.1.64) (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) 154 155portcon 156------- 157 158Label a udp or tcp port. 159 160**Statement definition:** 161 162 (portcon protocol port|(port_low port_high) context_id) 163 164**Where:** 165 166<table> 167<colgroup> 168<col width="25%" /> 169<col width="75%" /> 170</colgroup> 171<tbody> 172<tr class="odd"> 173<td align="left"><p><code>portcon</code></p></td> 174<td align="left"><p>The <code>portcon</code> keyword.</p></td> 175</tr> 176<tr class="even"> 177<td align="left"><p><code>protocol</code></p></td> 178<td align="left"><p>The protocol keyword <code>tcp</code> or <code>udp</code>.</p></td> 179</tr> 180<tr class="odd"> 181<td align="left"><p><code>port |</code></p> 182<p><code>(port_low port_high)</code></p></td> 183<td align="left"><p>A single port to apply the context, or a range of ports.</p> 184<p>The entries must consist of numerics <code>[0-9]</code>.</p></td> 185</tr> 186<tr class="even"> 187<td align="left"><p><code>context_id</code></p></td> 188<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td> 189</tr> 190</tbody> 191</table> 192 193**Examples:** 194 195These examples show named and anonymous [`portcon`](cil_network_labeling_statements.md#portcon) statements: 196 197 (portcon tcp 1111 (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) 198 (portcon tcp 2222 (unconfined.user object_r unconfined.object levelrange_2)) 199 (portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1)) 200 (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2))) 201 (portcon tcp (2000 20000) (unconfined.user object_r unconfined.object (systemlow level_3))) 202