http://www.selinuxproject.org/w/?title=NetworkStatements&limit=100&action=history&feed=atom NetworkStatements - Revision history 2024-03-29T08:39:10Z Revision history for this page on the wiki MediaWiki 1.23.13 http://www.selinuxproject.org/w/?title=NetworkStatements&diff=1752&oldid=prev RichardHaines at 14:15, 28 January 2015 2015-01-28T14:15:41Z <p></p> <a href="http://www.selinuxproject.org/w/?title=NetworkStatements&amp;diff=1752&amp;oldid=846">Show changes</a> RichardHaines http://www.selinuxproject.org/w/?title=NetworkStatements&diff=846&oldid=prev RichardHaines: New page: = Network Labeling Statements = The network labeling statements are used to label the following objects: '''Network interfaces''' - This covers those interfaces managed by the ifconfig(8)... 2009-11-30T12:05:42Z <p>New page: = Network Labeling Statements = The network labeling statements are used to label the following objects: &#039;&#039;&#039;Network interfaces&#039;&#039;&#039; - This covers those interfaces managed by the ifconfig(8)...</p> <p><b>New page</b></p><div>= Network Labeling Statements =<br /> The network labeling statements are used to label the following objects:<br /> <br /> '''Network interfaces''' - This covers those interfaces managed by the ifconfig(8) command.<br /> <br /> '''Network nodes''' - These are generally used to specify host systems using either IPv4 or IPv6 addresses.<br /> <br /> '''Network ports''' - These can be either udp or tcp port numbers.<br /> <br /> A security context is defined by these network labeling statements, therefore if the policy supports MCS / MLS, then an mls_range is required as described in the MLS range Definition section. Note that there are no terminating semi-colons (&lt;nowiki&gt;;&lt;/nowiki&gt;) on these statements.<br /> <br /> If any of the network objects do not have a specific security context assigned by the policy, then the value given in the policies initial SID is used (netif, node or port respectively), as shown below:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# Network Initial SIDs from the Standard Reference Policy:&lt;/nowiki&gt;<br /> sid netif system_u:object_r:netif_t <br /> sid node system_u:object_r:node_t<br /> sid port system_u:object_r:port_t<br /> <br /> &lt;nowiki&gt;# Network Initial SIDs from the MLS Reference Policy:&lt;/nowiki&gt;<br /> sid netif system_u:object_r:netif_t:s0 - s15:c0.c255<br /> sid node system_u:object_r:node_t:s0 - s15:c0.c255<br /> sid port system_u:object_r:port_t:s0<br /> &lt;/pre&gt;<br /> <br /> <br /> == IP Address Formats ==<br /> === IPv4 Address Format ===<br /> IPv4 addresses are represented in dotted-decimal notation (four numbers, each ranging from 0 to 255, separated by dots as shown:<br /> &lt;pre&gt;<br /> 192.77.188.166<br /> &lt;/pre&gt;<br /> === IPv6 Address Formats ===<br /> IPv6 addresses are written as eight groups of four hexadecimal digits, where each group is separated by a colon (:) as follows:<br /> &lt;pre&gt;<br /> 2001:0db8:85a3:0000:0000:8a2e:0370:7334<br /> &lt;/pre&gt;<br /> <br /> To shorten the writing and presentation of addresses, the following rules apply:<br /> <br /> * Any leading zeros in a group may be replaced with a single '0' as shown:<br /> &lt;pre&gt;<br /> 2001:db8:85a3:0:0:8a2e:370:7334<br /> &lt;/pre&gt;<br /> <br /> * Any leading zeros in a group may be omitted and be replaced with two colons (::), however this is only allowed once in an address as follows:<br /> &lt;pre&gt;<br /> 2001:db8:85a3::8a2e:370:7334<br /> &lt;/pre&gt;<br /> <br /> * The localhost (loopback) address can be written as:<br /> &lt;pre&gt;<br /> 0000:0000:0000:0000:0000:0000:0000:0001 <br /> &lt;/pre&gt;<br /> Or<br /> &lt;pre&gt;<br /> ::1<br /> &lt;/pre&gt;<br /> <br /> * An undetermined IPv6 address i.e. all bits are zero is written as:<br /> &lt;pre&gt;<br /> ::<br /> &lt;/pre&gt;<br /> <br /> <br /> == netifcon Statement ==<br /> The netifcon statement is used to label network interface objects (e.g. eth0). <br /> <br /> It is also possible to add SELinux user id's outside the policy using the 'semanage interface' command that will associate the interface to a security context.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> netifcon netif_id netif_context packet_context<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |netifcon<br /> |The netifcon keyword.<br /> <br /> |-<br /> |netif_id<br /> |The network interface name (e.g. eth0).<br /> <br /> |-<br /> |netif_context<br /> |The security context allocated to the network interface.<br /> <br /> |-<br /> |packet_context<br /> |The security context allocated packets. Note that these are defined but currently unused.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Examples:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# The following &lt;/nowiki&gt;''netifcon'' statement has been taken from the <br /> &lt;nowiki&gt;# MLS policy that shows an interface name of &lt;/nowiki&gt;''lo'' with the same<br /> &lt;nowiki&gt;# security context assigned to both the interface and packets.&lt;/nowiki&gt;<br /> <br /> netifcon lo system_u:object_r:lo_netif_t:s0 - s15:c0.c255 system_u:object_r:unlabeled_t:s0 - s15:c0.c255<br /> &lt;/pre&gt;<br /> <br /> '''semanage(8) Command example:'''<br /> &lt;pre&gt;<br /> semanage interface -a -t unconfined_t eth0<br /> &lt;/pre&gt;<br /> <br /> This command will produce the following file in the default &lt;nowiki&gt;&lt;policy_name&gt;&lt;/nowiki&gt; policy store and then activate the policy:<br /> <br /> &lt;nowiki&gt;/etc/selinux/&lt;policy_name&gt;/modules/active/interfaces.local:&lt;/nowiki&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This file is auto-generated by libsemanage&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# Do not edit directly.&lt;/nowiki&gt;<br /> <br /> netifcon eth0 system_u:object_r:unconfined_t system_u:object_r:unconfined_t<br /> &lt;/pre&gt;<br /> <br /> <br /> == nodecon Statement ==<br /> The nodecon statement is used to label network address objects that represent IPv4 or IPv6 IP addresses and network masks.<br /> <br /> It is also possible to add SELinux these outside the policy using the 'semanage node' command that will associate the node to a security context.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> nodecon subnet netmask node_context<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |nodecon<br /> |The nodecon keyword.<br /> <br /> |-<br /> |subnet<br /> |The subnet or specific IP address in IPv4 or IPv6 format.<br /> <br /> Note that the subnet and netmask values are used to ensure that the node_context is assigned to all IP addresses within the subnet range.<br /> <br /> |-<br /> |netmask<br /> |The subnet mask in IPv4 or IPv6 format.<br /> <br /> |-<br /> |node_context<br /> |The security context for the node.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Examples:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# The Standard Reference Policy &lt;/nowiki&gt;nodecon statement for the IPv4<br /> &lt;nowiki&gt;# Local Host:&lt;/nowiki&gt;<br /> <br /> nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t<br /> <br /> &lt;nowiki&gt;# The equivalent MLS Reference Policy &lt;/nowiki&gt;nodecon statement for the <br /> &lt;nowiki&gt;# IPv4 Local Host:&lt;/nowiki&gt;<br /> <br /> nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t: s0 - s15:c0.c255<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# The Standard Reference Policy &lt;/nowiki&gt;nodecon statement for the IPv4 <br /> &lt;nowiki&gt;# multicast address:&lt;/nowiki&gt;<br /> <br /> nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 - s15:c0.c255<br /> <br /> &lt;nowiki&gt;# The equivalent MLS Reference Policy &lt;/nowiki&gt;nodecon statement for the <br /> &lt;nowiki&gt;# multicast address, however using an IPv6 address:&lt;/nowiki&gt;<br /> <br /> nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 - s15:c0.c255<br /> &lt;/pre&gt;<br /> <br /> '''semanage(8) Command example:'''<br /> &lt;pre&gt;<br /> semanage node -a -t unconfined_t -p ipv4 -M 255.255.255.255 127.0.0.2<br /> &lt;/pre&gt;<br /> <br /> This command will produce the following file in the default &lt;nowiki&gt;&lt;policy_name&gt;&lt;/nowiki&gt; policy store and then activate the policy:<br /> <br /> &lt;nowiki&gt;/etc/selinux/&lt;policy_name&gt;/modules/active/nodes.local:&lt;/nowiki&gt;<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This file is auto-generated by libsemanage&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# Do not edit directly.&lt;/nowiki&gt;<br /> <br /> '''COMMAND FAILED TO WORK''' (fixed in a later release)<br /> &lt;/pre&gt;<br /> <br /> <br /> == portcon Statement ==<br /> The portcon statement is used to label udp or tcp ports.<br /> <br /> It is also possible to add a security context to ports outside the policy using the 'semanage port' command that will associate the port (or range of ports) to a security context.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> portcon protocol port_number port_context<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |portcon<br /> |The portcon keyword.<br /> <br /> |-<br /> |protocol<br /> |The protocol type. Valid entries are udp or tcp.<br /> <br /> |-<br /> |port_number<br /> |The port number or range of ports. The ranges are separated by a hyphen (-).<br /> <br /> |-<br /> |port_context<br /> |The security context for the port or range of ports.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Examples:'''<br /> <br /> &lt;nowiki&gt;# The Standard Reference Policy &lt;/nowiki&gt;portcon statements:<br /> &lt;pre&gt;<br /> portcon tcp 20 system_u:object_r:ftp_data_port_t<br /> portcon tcp 21 system_u:object_r:ftp_port_t<br /> portcon tcp 600-1023 system_u:object_r:hi_reserved_port_t<br /> portcon udp 600-1023 system_u:object_r:hi_reserved_port_t<br /> portcon tcp 1-599 system_u:object_r:reserved_port_t<br /> portcon udp 1-599 system_u:object_r:reserved_port_t<br /> <br /> &lt;nowiki&gt;# The equivalent MLS Reference Policy &lt;/nowiki&gt;portcon statements:<br /> <br /> portcon tcp 20 system_u:object_r:ftp_data_port_t:s0<br /> portcon tcp 21 system_u:object_r:ftp_port_t:s0<br /> portcon tcp 600-1023 system_u:object_r:hi_reserved_port_t:s0<br /> portcon udp 600-1023 system_u:object_r:hi_reserved_port_t:s0<br /> portcon tcp 1-599 system_u:object_r:reserved_port_t:s0<br /> portcon udp 1-599 system_u:object_r:reserved_port_t:s0<br /> &lt;/pre&gt;<br /> <br /> '''semanage(8) Command example:'''<br /> &lt;pre&gt;<br /> semanage port -a -t unconfined_t -p udp 1234<br /> &lt;/pre&gt;<br /> <br /> This command will produce the following file in the default &lt;nowiki&gt;&lt;policy_name&gt;&lt;/nowiki&gt; policy store and then activate the policy:<br /> <br /> &lt;nowiki&gt;/etc/selinux/&lt;policy_name&gt;/modules/active/ports.local:&lt;/nowiki&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This file is auto-generated by libsemanage&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# Do not edit directly.&lt;/nowiki&gt;<br /> <br /> portcon udp 1234 system_u:object_r:unconfined_t<br /> &lt;/pre&gt;</div> RichardHaines