NetworkStatements

From SELinux Wiki
Revision as of 12:05, 30 November 2009 by RichardHaines (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Network Labeling Statements

The network labeling statements are used to label the following objects:

Network interfaces - This covers those interfaces managed by the ifconfig(8) command.

Network nodes - These are generally used to specify host systems using either IPv4 or IPv6 addresses.

Network ports - These can be either udp or tcp port numbers.

A security context is defined by these network labeling statements, therefore if the policy supports MCS / MLS, then an mls_range is required as described in the MLS range Definition section. Note that there are no terminating semi-colons (;) on these statements.

If any of the network objects do not have a specific security context assigned by the policy, then the value given in the policies initial SID is used (netif, node or port respectively), as shown below:

# Network Initial SIDs from the Standard Reference Policy:
sid netif system_u:object_r:netif_t 
sid node system_u:object_r:node_t
sid port system_u:object_r:port_t

# Network Initial SIDs from the MLS Reference Policy:
sid netif system_u:object_r:netif_t:s0 - s15:c0.c255
sid node system_u:object_r:node_t:s0 - s15:c0.c255
sid port system_u:object_r:port_t:s0


IP Address Formats

IPv4 Address Format

IPv4 addresses are represented in dotted-decimal notation (four numbers, each ranging from 0 to 255, separated by dots as shown:

192.77.188.166

IPv6 Address Formats

IPv6 addresses are written as eight groups of four hexadecimal digits, where each group is separated by a colon (:) as follows:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

To shorten the writing and presentation of addresses, the following rules apply:

  • Any leading zeros in a group may be replaced with a single '0' as shown:
2001:db8:85a3:0:0:8a2e:370:7334
  • Any leading zeros in a group may be omitted and be replaced with two colons (::), however this is only allowed once in an address as follows:
2001:db8:85a3::8a2e:370:7334
  • The localhost (loopback) address can be written as:
0000:0000:0000:0000:0000:0000:0000:0001 

Or

::1
  • An undetermined IPv6 address i.e. all bits are zero is written as:
::


netifcon Statement

The netifcon statement is used to label network interface objects (e.g. eth0).

It is also possible to add SELinux user id's outside the policy using the 'semanage interface' command that will associate the interface to a security context.

The statement definition is:

netifcon netif_id netif_context packet_context


Where:

netifcon The netifcon keyword.
netif_id The network interface name (e.g. eth0).
netif_context The security context allocated to the network interface.
packet_context The security context allocated packets. Note that these are defined but currently unused.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
Conditional Policy (if) Statement
optional Statement
require Statement
No
No
No


Examples:

# The following ''netifcon'' statement has been taken from the 
# MLS policy that shows an interface name of ''lo'' with the same
# security context assigned to both the interface and packets.

netifcon lo system_u:object_r:lo_netif_t:s0 - s15:c0.c255 system_u:object_r:unlabeled_t:s0 - s15:c0.c255

semanage(8) Command example:

semanage interface -a -t unconfined_t eth0

This command will produce the following file in the default <policy_name> policy store and then activate the policy:

/etc/selinux/<policy_name>/modules/active/interfaces.local:

# This file is auto-generated by libsemanage
# Do not edit directly.

netifcon eth0 system_u:object_r:unconfined_t system_u:object_r:unconfined_t


nodecon Statement

The nodecon statement is used to label network address objects that represent IPv4 or IPv6 IP addresses and network masks.

It is also possible to add SELinux these outside the policy using the 'semanage node' command that will associate the node to a security context.

The statement definition is:

nodecon subnet netmask node_context


Where:

nodecon The nodecon keyword.
subnet The subnet or specific IP address in IPv4 or IPv6 format.

Note that the subnet and netmask values are used to ensure that the node_context is assigned to all IP addresses within the subnet range.

netmask The subnet mask in IPv4 or IPv6 format.
node_context The security context for the node.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
Conditional Policy (if) Statement
optional Statement
require Statement
No
No
No


Examples:

# The Standard Reference Policy nodecon statement for the IPv4
# Local Host:

nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t

# The equivalent MLS Reference Policy nodecon statement for the 
# IPv4 Local Host:

nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t: s0 - s15:c0.c255
# The Standard Reference Policy nodecon statement for the IPv4 
# multicast address:

nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 - s15:c0.c255

# The equivalent MLS Reference Policy nodecon statement for the 
# multicast address, however using an IPv6 address:

nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 - s15:c0.c255

semanage(8) Command example:

semanage node -a -t unconfined_t -p ipv4 -M 255.255.255.255 127.0.0.2

This command will produce the following file in the default <policy_name> policy store and then activate the policy:

/etc/selinux/<policy_name>/modules/active/nodes.local:

# This file is auto-generated by libsemanage
# Do not edit directly.

'''COMMAND FAILED TO WORK''' (fixed in a later release)


portcon Statement

The portcon statement is used to label udp or tcp ports.

It is also possible to add a security context to ports outside the policy using the 'semanage port' command that will associate the port (or range of ports) to a security context.

The statement definition is:

portcon protocol port_number port_context


Where:

portcon The portcon keyword.
protocol The protocol type. Valid entries are udp or tcp.
port_number The port number or range of ports. The ranges are separated by a hyphen (-).
port_context The security context for the port or range of ports.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
Conditional Policy (if) Statement
optional Statement
require Statement
No
No
No


Examples:

# The Standard Reference Policy portcon statements:

portcon tcp 20 system_u:object_r:ftp_data_port_t
portcon tcp 21 system_u:object_r:ftp_port_t
portcon tcp 600-1023 system_u:object_r:hi_reserved_port_t
portcon udp 600-1023 system_u:object_r:hi_reserved_port_t
portcon tcp 1-599 system_u:object_r:reserved_port_t
portcon udp 1-599 system_u:object_r:reserved_port_t

# The equivalent MLS Reference Policy portcon statements:

portcon tcp 20 system_u:object_r:ftp_data_port_t:s0
portcon tcp 21 system_u:object_r:ftp_port_t:s0
portcon tcp 600-1023 system_u:object_r:hi_reserved_port_t:s0
portcon udp 600-1023 system_u:object_r:hi_reserved_port_t:s0
portcon tcp 1-599 system_u:object_r:reserved_port_t:s0
portcon udp 1-599 system_u:object_r:reserved_port_t:s0

semanage(8) Command example:

semanage port -a -t unconfined_t -p udp 1234

This command will produce the following file in the default <policy_name> policy store and then activate the policy:

/etc/selinux/<policy_name>/modules/active/ports.local:

# This file is auto-generated by libsemanage
# Do not edit directly.

portcon udp 1234 system_u:object_r:unconfined_t