oracular (8) netlabelctl.8.gz

Provided by: netlabel-tools_0.30.0-1_amd64 bug

NAME

       netlabelctl - NetLabel management utility

SYNOPSIS

       netlabelctl [<global_flags>] <module> [<module_commands>]

DESCRIPTION

       The  NetLabel management utility, netlabelctl, is a command line program designed to allow
       system administrators to configure the NetLabel system in  the  kernel.   The  utility  is
       based  around  different  "modules"  which  correspond  to the different types of NetLabel
       commands supported by the kernel.

OPTIONS

   Global Flags
       -h   Help message

       -p   Attempt to make the output human readable or "pretty"

       -t <seconds>
            Set a timeout to be used when waiting for the NetLabel subsystem to respond

       -v   Enable extra output

       -V   Display the version information

   Modules and Commands
       mgmt

       The management module is used to perform general  queries  about  the  NetLabel  subsystem
       within the kernel.  The different commands and their syntax are listed below.

       version
              Display the kernel's NetLabel management protocol version.

       protocols
              Display the kernel's list of supported labeling protocols.

       map

       The  domain  mapping module is used to map different NetLabel labeling protocols to either
       individual LSM domains or the default domain mapping.  It is up to each LSM  to  determine
       what  defines  a  domain.   With  SELinux,  the normal SELinux domain should be used, i.e.
       "ping_t".  In addition to protocol selection based only on the  LSM  domain,  it  is  also
       possible  to  select  the  labeling  protocol based on both the LSM domain and destination
       address.  The network address selectors can specify either single hosts or entire networks
       and work for both IPv4 and IPv6, although the labeling protocol chosen must support the IP
       version chosen.  When specifying the labeling protocol to use for each mapping there is an
       optional  "extra"  field  which is used to further identify the specific labeling protocol
       configuration.  When specifying the unlabeled protocol, "unlbl", an extra value of  either
       "4"  or  "6" may be used.  This restricts the mapping to IPv4 or IPv6 addresses.  Omitting
       the extra value will result in a mapping for all address families.   When  specifying  the
       CIPSO/IPv4  or  the  CALIPSO/IPv6  protocol, "cipso" or "calipso", the DOI value should be
       specified; see the EXAMPLES section for details.  The different commands and their  syntax
       are listed below.

       add default|domain:<domain> [address:<ADDR>[/<MASK>]] protocol:<protocol>[,<extra>]
              Add a new LSM domain / network address to NetLabel protocol mapping.

       del default|domain:<domain>
              Delete an existing LSM domain to NetLabel protocol mapping.

       list
              Display all of the configured LSM domain to NetLabel protocol mappings.

       unlbl

       The  unlabeled  (unlbl)  module  controls  the  unlabeled protocol which is used both when
       labeling outgoing traffic is not desired as well as when unlabeled traffic is received  by
       the  system.   This  module  allows administrators to block all unlabeled packets from the
       system through the "accept" flag and  assign  static,  or  fallback,  security  labels  to
       unlabeled traffic based on the inbound network interface and source address.

       accept on|off
              Toggle the unlabeled traffic accept flag.

       add default|interface:<dev> address:<addr>[/<mask>] label:<label>
              Add a new static/fallback entry.

       del default|interface:<dev> address:<addr>[/<mask>]
              Delete an existing static/fallback entry.

       list
              Display the status of the unlabeled accept flag.

       cipso

       The  CIPSO/IPv4 (cipso) module controls the CIPSO/IPv4 labeling engine in the kernel.  The
       CIPSO/IPv4 engine provided by NetLabel supports multiple Domains Of  Interpretation  (DOI)
       and  the  CIPSO/IPv4  module allows for different configurations for each DOI.  At present
       there are three types of configurations, the "trans" configuration which allows on-the-fly
       translation of MLS sensitivity labels, the "pass" configuration which does not perform any
       translation of the MLS sensitivity label and the "local" configuration which  conveys  the
       full  LSM  security  label  over  localhost/loopback  connections.   Regardless  of  which
       configuration type is chosen a DOI value must be specified and if the  "trans"  or  "pass"
       configurations  are  specified  then  a  list  of  the  CIPSO/IPv4  tag  types to use when
       generating the CIPSO/IPv4 packet labels must also be specified.  The  list  of  CIPSO/IPv4
       tags  is  ordered  such  that  when  possible  the  first  tag  type listed is used when a
       CIPSO/IPv4 label is generated.  However, if it is not possible to use the first  tag  type
       then  each  tag type is checked, in order, until a suitable tag type is found.  If a valid
       tag type can not be found then the operation  causing  the  CIPSO/IPv4  label  will  fail,
       typically  this occurs whenever a new socket is created.  The different commands and their
       syntax are listed below.

       add       trans       doi:<DOI>       tags:<T1>,<Tn>        levels:<LL1>=<RL1>,<LLn>=<RLn>
              categories:<LC1>=<RC1>,<LCn>=<RCn>
              Add  a  new CIPSO/IPv4 configuration using the standard/translated mapping with the
              given level and category translations.  The levels are translated  in  such  a  way
              that the local level "LLn" is translated to the remote, on-the-wire level of "RLn";
              the reverse translation is done for incoming packets.  The same translation is done
              for the categories using "LCn" and "RCn".  In order for a packet to be accepted, or
              a socket created by an application, there must be a translation for the sensitivity
              level  and  all  the categories present in the MLS sensitivity label; if the entire
              requested sensitivity label can not be translated the application will fail.

       add pass doi:<DOI> tags:<T1>,<Tn>
              Add a new CIPSO/IPv4 configuration without any level or category translations.

       add local doi:<DOI>
              Add a new CIPSO/IPv4 configuration for localhost/loopback connections.

       del doi:<DOI>
              Delete an existing CIPSO/IPv4 configuration with the given DOI value.  If  any  LSM
              domain mappings are present which make use of this DOI they will also be deleted.

       list [doi:<DOI>]
              Display  a  list  of  all  the  CIPSO/IPv4 configurations or just the configuration
              matching the optionally specified DOI.

       calipso

       The CALIPSO/IPv6 (calipso) module controls the CALIPSO/IPv6 labeling engine in the kernel.
       This  behaves  in  a  very similar way to the CIPSO/IPv4 engine, however the protocol only
       specifies one tag-type (equivalent to CIPSO tag-type 1) and so the tag-type should not  be
       specified.  In addition there is no support for the "local" or "trans" configuration.  The
       different commands and their syntax are listed below.

       add pass doi:<DOI>
              Add a new CALIPSO/IPv6 configuration without any level or category translations.

       del doi:<DOI>
              Delete an existing CALIPSO/IPv6 configuration with the given DOI value.  If any LSM
              domain mappings are present which make use of this DOI they will also be deleted.

       list [doi:<DOI>]
              Display  a  list  of  all the CALIPSO/IPv6 configurations or just the configuration
              matching the optionally specified DOI.

EXIT STATUS

       Returns zero on success, errno values on failure.

EXAMPLES

       netlabelctl cipso add pass doi:16 tags:1
            Add a CIPSO/IPv4 configuration with a DOI value of "16", using  CIPSO  tag  "1"  (the
            permissive  bitmap  tag).  The CIPSO and LSM levels/categories are passed through the
            NetLabel subsystem without any translation.

       netlabelctl cipso add trans doi:8 tags:1 levels:0=0,1=1 categories:0=1,1=0
            Add a CIPSO/IPv4 configuration with a DOI value of "8",  using  CIPSO  tag  "1"  (the
            permissive  bitmap tag).  The specified mapping converts local LSM levels "0" and "1"
            to CIPSO levels "0" and "1" respectively while local LSM categories "0" and  "1"  are
            mapped to CIPSO categories "1" and "0" respectively.

       netlabelctl -p cipso list
            Display all of the CIPSO/IPv4 configurations in a human readable format.

       netlabelctl -p cipso list doi:16
            Display specific information about the CIPSO/IPv4 DOI 16 configuration.

       netlabelctl cipso del doi:8
            Delete  the  CIPSO/IPv4 configuration assigned to DOI 8.  In addition to removing the
            CIPSO/IPv4 configuration any domain mappings using this configuration  will  also  be
            removed.

       netlabelctl map add domain:lsm_domain protocol:cipso,8
            Add  a domain mapping so that all outgoing packets sent from the "lsm_domain" will be
            labeled according to the CIPSO/IPv4 protocol using DOI 8.

       netlabelctl map add domain:lsm_domain address:192.168.1.0/24 protocol:cipso,8
            Add a mapping so that  all  outgoing  packets  sent  from  the  "lsm_domain"  to  the
            192.168.1.0/24 network will be labeled according to the CIPSO/IPv4 protocol using DOI
            8.

       netlabelctl -p map list
            Display all of the domain mappings in a human readable format.

       netlabelctl del domain:lsm_domain
            Delete the domain mapping for the "lsm_domain", packets sent  from  the  "lsm_domain"
            will fallback to the default NetLabel mapping.

       netlabelctl unlbl add interface:lo address:::1 label:foo
            Add  a  static/fallback label to assign the "foo" security label to unlabeled packets
            entering the system over the "lo" (loopback) interface with an IPv6 source address of
            "::1" (localhost).

       netlabelctl unlbl add default address:192.168.0.0/16 label:bar
            Add  a  static/fallback label to assign the "bar" security label to unlabeled packets
            entering  the  system  over  any  interface  with  an  IPv4  source  address  in  the
            192.168.0.0/16 network.

NOTES

       The  NetLabel  subsystem  is  supported  on  Linux  Kernels version 2.6.19 and later.  The
       static, or fallback, labels are only supported on Linux Kernels version 2.6.25 and  later.
       The  domain mapping address selectors are only supported on Linux Kernels 2.6.28 and later
       and CALIPSO/RFC5570 is only supported on Linux Kernels 4.8.0 and later.

       The NetLabel project site, with more information including the source code repository, can
       be  found  at  https://github.com/netlabel.  Please report any bugs at the project site or
       directly to the author.

AUTHOR

       Paul Moore <paul@paul-moore.com>

SEE ALSO

       netlabel-config(8)