http://www.selinuxproject.org/w/?title=NetworkStatements&limit=100&action=history&feed=atomNetworkStatements - Revision history2024-03-29T08:39:10ZRevision history for this page on the wikiMediaWiki 1.23.13http://www.selinuxproject.org/w/?title=NetworkStatements&diff=1752&oldid=prevRichardHaines at 14:15, 28 January 20152015-01-28T14:15:41Z<p></p>
<a href="http://www.selinuxproject.org/w/?title=NetworkStatements&diff=1752&oldid=846">Show changes</a>RichardHaineshttp://www.selinuxproject.org/w/?title=NetworkStatements&diff=846&oldid=prevRichardHaines: New page: = Network Labeling Statements = The network labeling statements are used to label the following objects: '''Network interfaces''' - This covers those interfaces managed by the ifconfig(8)...2009-11-30T12:05:42Z<p>New page: = Network Labeling Statements = The network labeling statements are used to label the following objects: '''Network interfaces''' - This covers those interfaces managed by the ifconfig(8)...</p>
<p><b>New page</b></p><div>= Network Labeling Statements =<br />
The network labeling statements are used to label the following objects:<br />
<br />
'''Network interfaces''' - This covers those interfaces managed by the ifconfig(8) command.<br />
<br />
'''Network nodes''' - These are generally used to specify host systems using either IPv4 or IPv6 addresses.<br />
<br />
'''Network ports''' - These can be either udp or tcp port numbers.<br />
<br />
A security context is defined by these network labeling statements, therefore if the policy supports MCS / MLS, then an mls_range is required as described in the MLS range Definition section. Note that there are no terminating semi-colons (<nowiki>;</nowiki>) on these statements.<br />
<br />
If any of the network objects do not have a specific security context assigned by the policy, then the value given in the policies initial SID is used (netif, node or port respectively), as shown below:<br />
<pre><br />
<nowiki># Network Initial SIDs from the Standard Reference Policy:</nowiki><br />
sid netif system_u:object_r:netif_t <br />
sid node system_u:object_r:node_t<br />
sid port system_u:object_r:port_t<br />
<br />
<nowiki># Network Initial SIDs from the MLS Reference Policy:</nowiki><br />
sid netif system_u:object_r:netif_t:s0 - s15:c0.c255<br />
sid node system_u:object_r:node_t:s0 - s15:c0.c255<br />
sid port system_u:object_r:port_t:s0<br />
</pre><br />
<br />
<br />
== IP Address Formats ==<br />
=== IPv4 Address Format ===<br />
IPv4 addresses are represented in dotted-decimal notation (four numbers, each ranging from 0 to 255, separated by dots as shown:<br />
<pre><br />
192.77.188.166<br />
</pre><br />
=== IPv6 Address Formats ===<br />
IPv6 addresses are written as eight groups of four hexadecimal digits, where each group is separated by a colon (:) as follows:<br />
<pre><br />
2001:0db8:85a3:0000:0000:8a2e:0370:7334<br />
</pre><br />
<br />
To shorten the writing and presentation of addresses, the following rules apply:<br />
<br />
* Any leading zeros in a group may be replaced with a single '0' as shown:<br />
<pre><br />
2001:db8:85a3:0:0:8a2e:370:7334<br />
</pre><br />
<br />
* Any leading zeros in a group may be omitted and be replaced with two colons (::), however this is only allowed once in an address as follows:<br />
<pre><br />
2001:db8:85a3::8a2e:370:7334<br />
</pre><br />
<br />
* The localhost (loopback) address can be written as:<br />
<pre><br />
0000:0000:0000:0000:0000:0000:0000:0001 <br />
</pre><br />
Or<br />
<pre><br />
::1<br />
</pre><br />
<br />
* An undetermined IPv6 address i.e. all bits are zero is written as:<br />
<pre><br />
::<br />
</pre><br />
<br />
<br />
== netifcon Statement ==<br />
The netifcon statement is used to label network interface objects (e.g. eth0). <br />
<br />
It is also possible to add SELinux user id's outside the policy using the 'semanage interface' command that will associate the interface to a security context.<br />
<br />
'''The statement definition is:'''<br />
<pre><br />
netifcon netif_id netif_context packet_context<br />
</pre><br />
<br />
<br />
'''Where:'''<br />
{|border="1"<br />
|netifcon<br />
|The netifcon keyword.<br />
<br />
|-<br />
|netif_id<br />
|The network interface name (e.g. eth0).<br />
<br />
|-<br />
|netif_context<br />
|The security context allocated to the network interface.<br />
<br />
|-<br />
|packet_context<br />
|The security context allocated packets. Note that these are defined but currently unused.<br />
<br />
|}<br />
<br />
<br />
'''The statement is valid in:'''<br />
{|border="1"<br />
|<center>'''Monolithic Policy'''</center><br />
|<center>'''Base Policy'''</center><br />
|<center>'''Module Policy'''</center><br />
<br />
|-<br />
|<center>Yes</center><br />
|<center>Yes</center><br />
|<center>No</center><br />
<br />
|-<br />
|<center>'''Conditional Policy (if) Statement'''</center><br />
|<center>'''optional Statement'''</center><br />
|<center>'''require Statement'''</center><br />
<br />
|-<br />
|<center>No</center><br />
|<center>No</center><br />
|<center>No</center><br />
<br />
|}<br />
<br />
<br />
'''Examples:'''<br />
<pre><br />
<nowiki># The following </nowiki>''netifcon'' statement has been taken from the <br />
<nowiki># MLS policy that shows an interface name of </nowiki>''lo'' with the same<br />
<nowiki># security context assigned to both the interface and packets.</nowiki><br />
<br />
netifcon lo system_u:object_r:lo_netif_t:s0 - s15:c0.c255 system_u:object_r:unlabeled_t:s0 - s15:c0.c255<br />
</pre><br />
<br />
'''semanage(8) Command example:'''<br />
<pre><br />
semanage interface -a -t unconfined_t eth0<br />
</pre><br />
<br />
This command will produce the following file in the default <nowiki><policy_name></nowiki> policy store and then activate the policy:<br />
<br />
<nowiki>/etc/selinux/<policy_name>/modules/active/interfaces.local:</nowiki><br />
<br />
<pre><br />
<nowiki># This file is auto-generated by libsemanage</nowiki><br />
<nowiki># Do not edit directly.</nowiki><br />
<br />
netifcon eth0 system_u:object_r:unconfined_t system_u:object_r:unconfined_t<br />
</pre><br />
<br />
<br />
== nodecon Statement ==<br />
The nodecon statement is used to label network address objects that represent IPv4 or IPv6 IP addresses and network masks.<br />
<br />
It is also possible to add SELinux these outside the policy using the 'semanage node' command that will associate the node to a security context.<br />
<br />
'''The statement definition is:'''<br />
<pre><br />
nodecon subnet netmask node_context<br />
</pre><br />
<br />
<br />
'''Where:'''<br />
{|border="1"<br />
|nodecon<br />
|The nodecon keyword.<br />
<br />
|-<br />
|subnet<br />
|The subnet or specific IP address in IPv4 or IPv6 format.<br />
<br />
Note that the subnet and netmask values are used to ensure that the node_context is assigned to all IP addresses within the subnet range.<br />
<br />
|-<br />
|netmask<br />
|The subnet mask in IPv4 or IPv6 format.<br />
<br />
|-<br />
|node_context<br />
|The security context for the node.<br />
<br />
|}<br />
<br />
<br />
'''The statement is valid in:'''<br />
{|border="1"<br />
|<center>'''Monolithic Policy'''</center><br />
|<center>'''Base Policy'''</center><br />
|<center>'''Module Policy'''</center><br />
<br />
|-<br />
|<center>Yes</center><br />
|<center>Yes</center><br />
|<center>No</center><br />
<br />
|-<br />
|<center>'''Conditional Policy (if) Statement'''</center><br />
|<center>'''optional Statement'''</center><br />
|<center>'''require Statement'''</center><br />
<br />
|-<br />
|<center>No</center><br />
|<center>No</center><br />
|<center>No</center><br />
<br />
|}<br />
<br />
<br />
'''Examples:'''<br />
<pre><br />
<nowiki># The Standard Reference Policy </nowiki>nodecon statement for the IPv4<br />
<nowiki># Local Host:</nowiki><br />
<br />
nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t<br />
<br />
<nowiki># The equivalent MLS Reference Policy </nowiki>nodecon statement for the <br />
<nowiki># IPv4 Local Host:</nowiki><br />
<br />
nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t: s0 - s15:c0.c255<br />
</pre><br />
<br />
<pre><br />
<nowiki># The Standard Reference Policy </nowiki>nodecon statement for the IPv4 <br />
<nowiki># multicast address:</nowiki><br />
<br />
nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 - s15:c0.c255<br />
<br />
<nowiki># The equivalent MLS Reference Policy </nowiki>nodecon statement for the <br />
<nowiki># multicast address, however using an IPv6 address:</nowiki><br />
<br />
nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 - s15:c0.c255<br />
</pre><br />
<br />
'''semanage(8) Command example:'''<br />
<pre><br />
semanage node -a -t unconfined_t -p ipv4 -M 255.255.255.255 127.0.0.2<br />
</pre><br />
<br />
This command will produce the following file in the default <nowiki><policy_name></nowiki> policy store and then activate the policy:<br />
<br />
<nowiki>/etc/selinux/<policy_name>/modules/active/nodes.local:</nowiki><br />
<pre><br />
<nowiki># This file is auto-generated by libsemanage</nowiki><br />
<nowiki># Do not edit directly.</nowiki><br />
<br />
'''COMMAND FAILED TO WORK''' (fixed in a later release)<br />
</pre><br />
<br />
<br />
== portcon Statement ==<br />
The portcon statement is used to label udp or tcp ports.<br />
<br />
It is also possible to add a security context to ports outside the policy using the 'semanage port' command that will associate the port (or range of ports) to a security context.<br />
<br />
'''The statement definition is:'''<br />
<pre><br />
portcon protocol port_number port_context<br />
</pre><br />
<br />
<br />
'''Where:'''<br />
{|border="1"<br />
|portcon<br />
|The portcon keyword.<br />
<br />
|-<br />
|protocol<br />
|The protocol type. Valid entries are udp or tcp.<br />
<br />
|-<br />
|port_number<br />
|The port number or range of ports. The ranges are separated by a hyphen (-).<br />
<br />
|-<br />
|port_context<br />
|The security context for the port or range of ports.<br />
<br />
|}<br />
<br />
<br />
'''The statement is valid in:'''<br />
{|border="1"<br />
|<center>'''Monolithic Policy'''</center><br />
|<center>'''Base Policy'''</center><br />
|<center>'''Module Policy'''</center><br />
<br />
|-<br />
|<center>Yes</center><br />
|<center>Yes</center><br />
|<center>No</center><br />
<br />
|-<br />
|<center>'''Conditional Policy (if) Statement'''</center><br />
|<center>'''optional Statement'''</center><br />
|<center>'''require Statement'''</center><br />
<br />
|-<br />
|<center>No</center><br />
|<center>No</center><br />
|<center>No</center><br />
<br />
|}<br />
<br />
<br />
'''Examples:'''<br />
<br />
<nowiki># The Standard Reference Policy </nowiki>portcon statements:<br />
<pre><br />
portcon tcp 20 system_u:object_r:ftp_data_port_t<br />
portcon tcp 21 system_u:object_r:ftp_port_t<br />
portcon tcp 600-1023 system_u:object_r:hi_reserved_port_t<br />
portcon udp 600-1023 system_u:object_r:hi_reserved_port_t<br />
portcon tcp 1-599 system_u:object_r:reserved_port_t<br />
portcon udp 1-599 system_u:object_r:reserved_port_t<br />
<br />
<nowiki># The equivalent MLS Reference Policy </nowiki>portcon statements:<br />
<br />
portcon tcp 20 system_u:object_r:ftp_data_port_t:s0<br />
portcon tcp 21 system_u:object_r:ftp_port_t:s0<br />
portcon tcp 600-1023 system_u:object_r:hi_reserved_port_t:s0<br />
portcon udp 600-1023 system_u:object_r:hi_reserved_port_t:s0<br />
portcon tcp 1-599 system_u:object_r:reserved_port_t:s0<br />
portcon udp 1-599 system_u:object_r:reserved_port_t:s0<br />
</pre><br />
<br />
'''semanage(8) Command example:'''<br />
<pre><br />
semanage port -a -t unconfined_t -p udp 1234<br />
</pre><br />
<br />
This command will produce the following file in the default <nowiki><policy_name></nowiki> policy store and then activate the policy:<br />
<br />
<nowiki>/etc/selinux/<policy_name>/modules/active/ports.local:</nowiki><br />
<br />
<pre><br />
<nowiki># This file is auto-generated by libsemanage</nowiki><br />
<nowiki># Do not edit directly.</nowiki><br />
<br />
portcon udp 1234 system_u:object_r:unconfined_t<br />
</pre></div>RichardHaines