Difference between revisions of "NetworkStatements"
(New page: = Network Labeling Statements = The network labeling statements are used to label the following objects: '''Network interfaces''' - This covers those interfaces managed by the ifconfig(8)...) |
|||
Line 1: | Line 1: | ||
= Network Labeling Statements = | = Network Labeling Statements = | ||
The network labeling statements are used to label the following objects: | The network labeling statements are used to label the following objects: | ||
+ | : '''Network interfaces''' - This covers those interfaces managed by the '''ifconfig'''(8) command. | ||
+ | : '''Network nodes''' - These are generally used to specify host systems using either IPv4 or IPv6 addresses. | ||
+ | : '''Network ports''' - These can be either udp or tcp port numbers. | ||
− | + | A security context is defined by these network labeling statements, therefore if the policy supports MCS / MLS, then an mls_range is required as described in the [[MLSStatements#MLS_range_Definition | MLS range Definition]] section. Note that there are no terminating semi-colons (<nowiki>;</nowiki>) on these statements. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | A security context is defined by these network labeling statements, therefore if the policy supports MCS / MLS, then an mls_range is required as described in the MLS range Definition section. Note that there are no terminating semi-colons (<nowiki>;</nowiki>) on these statements. | + | |
If any of the network objects do not have a specific security context assigned by the policy, then the value given in the policies initial SID is used (netif, node or port respectively), as shown below: | If any of the network objects do not have a specific security context assigned by the policy, then the value given in the policies initial SID is used (netif, node or port respectively), as shown below: | ||
<pre> | <pre> | ||
− | + | # Network Initial SIDs from the MLS Reference Policy: | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
sid netif system_u:object_r:netif_t:s0 - s15:c0.c255 | sid netif system_u:object_r:netif_t:s0 - s15:c0.c255 | ||
sid node system_u:object_r:node_t:s0 - s15:c0.c255 | sid node system_u:object_r:node_t:s0 - s15:c0.c255 | ||
Line 30: | Line 22: | ||
192.77.188.166 | 192.77.188.166 | ||
</pre> | </pre> | ||
+ | |||
+ | |||
=== IPv6 Address Formats === | === IPv6 Address Formats === | ||
IPv6 addresses are written as eight groups of four hexadecimal digits, where each group is separated by a colon (:) as follows: | IPv6 addresses are written as eight groups of four hexadecimal digits, where each group is separated by a colon (:) as follows: | ||
Line 37: | Line 31: | ||
To shorten the writing and presentation of addresses, the following rules apply: | To shorten the writing and presentation of addresses, the following rules apply: | ||
− | |||
* Any leading zeros in a group may be replaced with a single '0' as shown: | * Any leading zeros in a group may be replaced with a single '0' as shown: | ||
<pre> | <pre> | ||
Line 63: | Line 56: | ||
− | == netifcon | + | == netifcon == |
The netifcon statement is used to label network interface objects (e.g. eth0). | The netifcon statement is used to label network interface objects (e.g. eth0). | ||
− | It is also possible to | + | It is also possible to use the 'semanage interface' command to associate the interface to a security context. |
'''The statement definition is:''' | '''The statement definition is:''' | ||
Line 72: | Line 65: | ||
netifcon netif_id netif_context packet_context | netifcon netif_id netif_context packet_context | ||
</pre> | </pre> | ||
− | |||
'''Where:''' | '''Where:''' | ||
− | {|border="1" | + | |
− | |netifcon | + | {| border="1" |
− | |The netifcon keyword. | + | | netifcon |
+ | | The netifcon keyword. | ||
|- | |- | ||
− | |netif_id | + | | netif_id |
− | |The network interface name (e.g. eth0). | + | | The network interface name (e.g. eth0). |
|- | |- | ||
− | |netif_context | + | | netif_context |
− | |The security context allocated to the network interface. | + | | The security context allocated to the network interface. |
|- | |- | ||
− | |packet_context | + | | packet_context |
− | |The security context allocated packets. Note that these are defined but currently unused. | + | | The security context allocated packets. Note that these are defined but currently unused. |
+ | |||
+ | The iptable [[NB_Networking#SECMARK | SECMARK services]] should be used to label packets. | ||
|} | |} | ||
Line 95: | Line 90: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | |
+ | {| border="1" | ||
|<center>'''Monolithic Policy'''</center> | |<center>'''Monolithic Policy'''</center> | ||
|<center>'''Base Policy'''</center> | |<center>'''Base Policy'''</center> | ||
Line 101: | Line 97: | ||
|- | |- | ||
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | |<center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | |<center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | |<center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | |<center>No</center> | + | | <center>'''No'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 120: | Line 116: | ||
'''Examples:''' | '''Examples:''' | ||
<pre> | <pre> | ||
− | + | # The following netifcon statement has been taken from the | |
− | + | # MLS policy that shows an interface name of lo with the same | |
− | + | # security context assigned to both the interface and packets. | |
netifcon lo system_u:object_r:lo_netif_t:s0 - s15:c0.c255 system_u:object_r:unlabeled_t:s0 - s15:c0.c255 | netifcon lo system_u:object_r:lo_netif_t:s0 - s15:c0.c255 system_u:object_r:unlabeled_t:s0 - s15:c0.c255 | ||
Line 129: | Line 125: | ||
'''semanage(8) Command example:''' | '''semanage(8) Command example:''' | ||
<pre> | <pre> | ||
− | semanage interface -a -t | + | semanage interface -a -t netif_t eth2 |
</pre> | </pre> | ||
This command will produce the following file in the default <nowiki><policy_name></nowiki> policy store and then activate the policy: | This command will produce the following file in the default <nowiki><policy_name></nowiki> policy store and then activate the policy: | ||
− | + | /etc/selinux/<nowiki><policy_name>/modules/active/interfaces.local:</nowiki> | |
− | + | ||
<pre> | <pre> | ||
− | + | # This file is auto-generated by libsemanage | |
− | + | # Do not edit directly. | |
− | netifcon | + | netifcon eth2 system_u:object_r:netif_t:s0 system_u:object_r:netif_t:s0 |
</pre> | </pre> | ||
− | == nodecon | + | == nodecon == |
The nodecon statement is used to label network address objects that represent IPv4 or IPv6 IP addresses and network masks. | The nodecon statement is used to label network address objects that represent IPv4 or IPv6 IP addresses and network masks. | ||
Line 153: | Line 148: | ||
nodecon subnet netmask node_context | nodecon subnet netmask node_context | ||
</pre> | </pre> | ||
− | |||
'''Where:''' | '''Where:''' | ||
− | {|border="1" | + | |
− | |nodecon | + | {| border="1" |
− | |The nodecon keyword. | + | | nodecon |
+ | | The nodecon keyword. | ||
|- | |- | ||
− | |subnet | + | | subnet |
− | |The subnet or specific IP address in IPv4 or IPv6 format. | + | | The subnet or specific IP address in IPv4 or IPv6 format. |
Note that the subnet and netmask values are used to ensure that the node_context is assigned to all IP addresses within the subnet range. | Note that the subnet and netmask values are used to ensure that the node_context is assigned to all IP addresses within the subnet range. | ||
|- | |- | ||
− | |netmask | + | | netmask |
− | |The subnet mask in IPv4 or IPv6 format. | + | | The subnet mask in IPv4 or IPv6 format. |
|- | |- | ||
− | |node_context | + | | node_context |
− | |The security context for the node. | + | | The security context for the node. |
|} | |} | ||
Line 178: | Line 173: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | |
+ | {| border="1" | ||
|<center>'''Monolithic Policy'''</center> | |<center>'''Monolithic Policy'''</center> | ||
|<center>'''Base Policy'''</center> | |<center>'''Base Policy'''</center> | ||
Line 184: | Line 180: | ||
|- | |- | ||
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | |<center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | |<center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | |<center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | |<center>No</center> | + | | <center>'''No'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 203: | Line 199: | ||
'''Examples:''' | '''Examples:''' | ||
<pre> | <pre> | ||
− | + | # The MLS policy nodecon statement using an IPv4 address: | |
− | + | ||
− | + | nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 - s15:c0.c255 | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t: s0 - s15:c0.c255 | + | |
</pre> | </pre> | ||
− | |||
<pre> | <pre> | ||
− | + | # The MLS policy nodecon statement for the multicast address using an IPv6 address: | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 - s15:c0.c255 | nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 - s15:c0.c255 | ||
Line 228: | Line 211: | ||
'''semanage(8) Command example:''' | '''semanage(8) Command example:''' | ||
<pre> | <pre> | ||
− | semanage node -a -t | + | semanage node -a -t node_t -p ipv4 -M 255.255.255.255 127.0.0.2 |
</pre> | </pre> | ||
This command will produce the following file in the default <nowiki><policy_name></nowiki> policy store and then activate the policy: | This command will produce the following file in the default <nowiki><policy_name></nowiki> policy store and then activate the policy: | ||
− | + | /etc/selinux/<nowiki><policy_name>/modules/active/nodes.local:</nowiki> | |
<pre> | <pre> | ||
− | + | # This file is auto-generated by libsemanage | |
− | + | # Do not edit directly. | |
− | + | nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0 | |
</pre> | </pre> | ||
− | == portcon | + | == portcon == |
The portcon statement is used to label udp or tcp ports. | The portcon statement is used to label udp or tcp ports. | ||
Line 251: | Line 234: | ||
portcon protocol port_number port_context | portcon protocol port_number port_context | ||
</pre> | </pre> | ||
− | |||
'''Where:''' | '''Where:''' | ||
− | {|border="1" | + | |
− | |portcon | + | {| border="1" |
− | |The portcon keyword. | + | | portcon |
+ | | The portcon keyword. | ||
|- | |- | ||
− | |protocol | + | | protocol |
− | |The protocol type. Valid entries are udp or tcp. | + | | The protocol type. Valid entries are udp or tcp. |
|- | |- | ||
− | |port_number | + | | port_number |
− | |The port number or range of ports. The ranges are separated by a hyphen (-). | + | | The port number or range of ports. The ranges are separated by a hyphen (-). |
|- | |- | ||
− | |port_context | + | | port_context |
− | |The security context for the port or range of ports. | + | | The security context for the port or range of ports. |
|} | |} | ||
Line 274: | Line 257: | ||
'''The statement is valid in:''' | '''The statement is valid in:''' | ||
− | {|border="1" | + | |
+ | {| border="1" | ||
|<center>'''Monolithic Policy'''</center> | |<center>'''Monolithic Policy'''</center> | ||
|<center>'''Base Policy'''</center> | |<center>'''Base Policy'''</center> | ||
Line 280: | Line 264: | ||
|- | |- | ||
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>Yes</center> | + | | <center>'''Yes'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
|- | |- | ||
− | |<center> | + | | <center>[[ConditionalStatements#if | if Statement]]</center> |
− | |<center> | + | | <center>[[PolicyStatements#optional | optional Statement]] </center> |
− | |<center> | + | | <center>[[PolicyStatements#require | require Statement]] </center> |
|- | |- | ||
− | |<center>No</center> | + | | <center>'''No'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
− | |<center>No</center> | + | | <center>'''No'''</center> |
|} | |} | ||
Line 298: | Line 282: | ||
'''Examples:''' | '''Examples:''' | ||
− | |||
− | |||
<pre> | <pre> | ||
− | + | # The MLS policy portcon statements: | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
portcon tcp 20 system_u:object_r:ftp_data_port_t:s0 | portcon tcp 20 system_u:object_r:ftp_data_port_t:s0 | ||
portcon tcp 21 system_u:object_r:ftp_port_t:s0 | portcon tcp 21 system_u:object_r:ftp_port_t:s0 | ||
Line 320: | Line 294: | ||
'''semanage(8) Command example:''' | '''semanage(8) Command example:''' | ||
<pre> | <pre> | ||
− | semanage port -a -t | + | semanage port -a -t reserved_port_t -p udp 1234 |
</pre> | </pre> | ||
This command will produce the following file in the default <nowiki><policy_name></nowiki> policy store and then activate the policy: | This command will produce the following file in the default <nowiki><policy_name></nowiki> policy store and then activate the policy: | ||
− | + | /etc/selinux/<nowiki><policy_name>/modules/active/ports.local:</nowiki> | |
− | + | ||
<pre> | <pre> | ||
− | + | # This file is auto-generated by libsemanage | |
− | + | # Do not edit directly. | |
− | portcon udp 1234 system_u:object_r: | + | portcon udp 1234 system_u:object_r:reserved_port_t:s0 |
</pre> | </pre> | ||
+ | |||
+ | |||
+ | {| style="width: 100%;" border="0" | ||
+ | |- | ||
+ | | [[FileStatements | '''Previous''']] | ||
+ | | <center>[[NewUsers | '''Home''']]</center> | ||
+ | | <center>[[PolicyStatements | '''Next''']]</center> | ||
+ | |} | ||
+ | |||
+ | |||
+ | ---- | ||
+ | <references/> | ||
+ | |||
+ | [[Category:Notebook]] |
Latest revision as of 14:15, 28 January 2015
Contents
Network Labeling Statements
The network labeling statements are used to label the following objects:
- Network interfaces - This covers those interfaces managed by the ifconfig(8) command.
- Network nodes - These are generally used to specify host systems using either IPv4 or IPv6 addresses.
- Network ports - These can be either udp or tcp port numbers.
A security context is defined by these network labeling statements, therefore if the policy supports MCS / MLS, then an mls_range is required as described in the MLS range Definition section. Note that there are no terminating semi-colons (;) on these statements.
If any of the network objects do not have a specific security context assigned by the policy, then the value given in the policies initial SID is used (netif, node or port respectively), as shown below:
# Network Initial SIDs from the MLS Reference Policy: sid netif system_u:object_r:netif_t:s0 - s15:c0.c255 sid node system_u:object_r:node_t:s0 - s15:c0.c255 sid port system_u:object_r:port_t:s0
IP Address Formats
IPv4 Address Format
IPv4 addresses are represented in dotted-decimal notation (four numbers, each ranging from 0 to 255, separated by dots as shown:
192.77.188.166
IPv6 Address Formats
IPv6 addresses are written as eight groups of four hexadecimal digits, where each group is separated by a colon (:) as follows:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
To shorten the writing and presentation of addresses, the following rules apply:
- Any leading zeros in a group may be replaced with a single '0' as shown:
2001:db8:85a3:0:0:8a2e:370:7334
- Any leading zeros in a group may be omitted and be replaced with two colons (::), however this is only allowed once in an address as follows:
2001:db8:85a3::8a2e:370:7334
- The localhost (loopback) address can be written as:
0000:0000:0000:0000:0000:0000:0000:0001
Or
::1
- An undetermined IPv6 address i.e. all bits are zero is written as:
::
netifcon
The netifcon statement is used to label network interface objects (e.g. eth0).
It is also possible to use the 'semanage interface' command to associate the interface to a security context.
The statement definition is:
netifcon netif_id netif_context packet_context
Where:
netifcon | The netifcon keyword. |
netif_id | The network interface name (e.g. eth0). |
netif_context | The security context allocated to the network interface. |
packet_context | The security context allocated packets. Note that these are defined but currently unused.
The iptable SECMARK services should be used to label packets. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Examples:
# The following netifcon statement has been taken from the # MLS policy that shows an interface name of lo with the same # security context assigned to both the interface and packets. netifcon lo system_u:object_r:lo_netif_t:s0 - s15:c0.c255 system_u:object_r:unlabeled_t:s0 - s15:c0.c255
semanage(8) Command example:
semanage interface -a -t netif_t eth2
This command will produce the following file in the default <policy_name> policy store and then activate the policy:
/etc/selinux/<policy_name>/modules/active/interfaces.local:
# This file is auto-generated by libsemanage # Do not edit directly. netifcon eth2 system_u:object_r:netif_t:s0 system_u:object_r:netif_t:s0
nodecon
The nodecon statement is used to label network address objects that represent IPv4 or IPv6 IP addresses and network masks.
It is also possible to add SELinux these outside the policy using the 'semanage node' command that will associate the node to a security context.
The statement definition is:
nodecon subnet netmask node_context
Where:
nodecon | The nodecon keyword. |
subnet | The subnet or specific IP address in IPv4 or IPv6 format.
Note that the subnet and netmask values are used to ensure that the node_context is assigned to all IP addresses within the subnet range. |
netmask | The subnet mask in IPv4 or IPv6 format. |
node_context | The security context for the node. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Examples:
# The MLS policy nodecon statement using an IPv4 address: nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 - s15:c0.c255
# The MLS policy nodecon statement for the multicast address using an IPv6 address: nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 - s15:c0.c255
semanage(8) Command example:
semanage node -a -t node_t -p ipv4 -M 255.255.255.255 127.0.0.2
This command will produce the following file in the default <policy_name> policy store and then activate the policy:
/etc/selinux/<policy_name>/modules/active/nodes.local:
# This file is auto-generated by libsemanage # Do not edit directly. nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0
portcon
The portcon statement is used to label udp or tcp ports.
It is also possible to add a security context to ports outside the policy using the 'semanage port' command that will associate the port (or range of ports) to a security context.
The statement definition is:
portcon protocol port_number port_context
Where:
portcon | The portcon keyword. |
protocol | The protocol type. Valid entries are udp or tcp. |
port_number | The port number or range of ports. The ranges are separated by a hyphen (-). |
port_context | The security context for the port or range of ports. |
The statement is valid in:
|
|
|
|
|
|
|
|
|
Examples:
# The MLS policy portcon statements: portcon tcp 20 system_u:object_r:ftp_data_port_t:s0 portcon tcp 21 system_u:object_r:ftp_port_t:s0 portcon tcp 600-1023 system_u:object_r:hi_reserved_port_t:s0 portcon udp 600-1023 system_u:object_r:hi_reserved_port_t:s0 portcon tcp 1-599 system_u:object_r:reserved_port_t:s0 portcon udp 1-599 system_u:object_r:reserved_port_t:s0
semanage(8) Command example:
semanage port -a -t reserved_port_t -p udp 1234
This command will produce the following file in the default <policy_name> policy store and then activate the policy:
/etc/selinux/<policy_name>/modules/active/ports.local:
# This file is auto-generated by libsemanage # Do not edit directly. portcon udp 1234 system_u:object_r:reserved_port_t:s0
Previous | |
|