Provided by: netlabel-tools_0.30.0-1_amd64 
NAME
netlabelctl - NetLabel management utility
SYNOPSIS
netlabelctl [<global_flags>] <module> [<module_commands>]
DESCRIPTION
The NetLabel management utility, netlabelctl, is a command line program designed to allow system
administrators to configure the NetLabel system in the kernel. The utility is based around different
"modules" which correspond to the different types of NetLabel commands supported by the kernel.
OPTIONS
Global Flags
-h Help message
-p Attempt to make the output human readable or "pretty"
-t <seconds>
Set a timeout to be used when waiting for the NetLabel subsystem to respond
-v Enable extra output
-V Display the version information
Modules and Commands
mgmt
The management module is used to perform general queries about the NetLabel subsystem within the kernel.
The different commands and their syntax are listed below.
version
Display the kernel's NetLabel management protocol version.
protocols
Display the kernel's list of supported labeling protocols.
map
The domain mapping module is used to map different NetLabel labeling protocols to either individual LSM
domains or the default domain mapping. It is up to each LSM to determine what defines a domain. With
SELinux, the normal SELinux domain should be used, i.e. "ping_t". In addition to protocol selection
based only on the LSM domain, it is also possible to select the labeling protocol based on both the LSM
domain and destination address. The network address selectors can specify either single hosts or entire
networks and work for both IPv4 and IPv6, although the labeling protocol chosen must support the IP
version chosen. When specifying the labeling protocol to use for each mapping there is an optional
"extra" field which is used to further identify the specific labeling protocol configuration. When
specifying the unlabeled protocol, "unlbl", an extra value of either "4" or "6" may be used. This
restricts the mapping to IPv4 or IPv6 addresses. Omitting the extra value will result in a mapping for
all address families. When specifying the CIPSO/IPv4 or the CALIPSO/IPv6 protocol, "cipso" or "calipso",
the DOI value should be specified; see the EXAMPLES section for details. The different commands and
their syntax are listed below.
add default|domain:<domain> [address:<ADDR>[/<MASK>]] protocol:<protocol>[,<extra>]
Add a new LSM domain / network address to NetLabel protocol mapping.
del default|domain:<domain>
Delete an existing LSM domain to NetLabel protocol mapping.
list
Display all of the configured LSM domain to NetLabel protocol mappings.
unlbl
The unlabeled (unlbl) module controls the unlabeled protocol which is used both when labeling outgoing
traffic is not desired as well as when unlabeled traffic is received by the system. This module allows
administrators to block all unlabeled packets from the system through the "accept" flag and assign
static, or fallback, security labels to unlabeled traffic based on the inbound network interface and
source address.
accept on|off
Toggle the unlabeled traffic accept flag.
add default|interface:<dev> address:<addr>[/<mask>] label:<label>
Add a new static/fallback entry.
del default|interface:<dev> address:<addr>[/<mask>]
Delete an existing static/fallback entry.
list
Display the status of the unlabeled accept flag.
cipso
The CIPSO/IPv4 (cipso) module controls the CIPSO/IPv4 labeling engine in the kernel. The CIPSO/IPv4
engine provided by NetLabel supports multiple Domains Of Interpretation (DOI) and the CIPSO/IPv4 module
allows for different configurations for each DOI. At present there are three types of configurations,
the "trans" configuration which allows on-the-fly translation of MLS sensitivity labels, the "pass"
configuration which does not perform any translation of the MLS sensitivity label and the "local"
configuration which conveys the full LSM security label over localhost/loopback connections. Regardless
of which configuration type is chosen a DOI value must be specified and if the "trans" or "pass"
configurations are specified then a list of the CIPSO/IPv4 tag types to use when generating the
CIPSO/IPv4 packet labels must also be specified. The list of CIPSO/IPv4 tags is ordered such that when
possible the first tag type listed is used when a CIPSO/IPv4 label is generated. However, if it is not
possible to use the first tag type then each tag type is checked, in order, until a suitable tag type is
found. If a valid tag type can not be found then the operation causing the CIPSO/IPv4 label will fail,
typically this occurs whenever a new socket is created. The different commands and their syntax are
listed below.
add trans doi:<DOI> tags:<T1>,<Tn> levels:<LL1>=<RL1>,<LLn>=<RLn> categories:<LC1>=<RC1>,<LCn>=<RCn>
Add a new CIPSO/IPv4 configuration using the standard/translated mapping with the given level and
category translations. The levels are translated in such a way that the local level "LLn" is
translated to the remote, on-the-wire level of "RLn"; the reverse translation is done for incoming
packets. The same translation is done for the categories using "LCn" and "RCn". In order for a
packet to be accepted, or a socket created by an application, there must be a translation for the
sensitivity level and all the categories present in the MLS sensitivity label; if the entire
requested sensitivity label can not be translated the application will fail.
add pass doi:<DOI> tags:<T1>,<Tn>
Add a new CIPSO/IPv4 configuration without any level or category translations.
add local doi:<DOI>
Add a new CIPSO/IPv4 configuration for localhost/loopback connections.
del doi:<DOI>
Delete an existing CIPSO/IPv4 configuration with the given DOI value. If any LSM domain mappings
are present which make use of this DOI they will also be deleted.
list [doi:<DOI>]
Display a list of all the CIPSO/IPv4 configurations or just the configuration matching the
optionally specified DOI.
calipso
The CALIPSO/IPv6 (calipso) module controls the CALIPSO/IPv6 labeling engine in the kernel. This behaves
in a very similar way to the CIPSO/IPv4 engine, however the protocol only specifies one tag-type
(equivalent to CIPSO tag-type 1) and so the tag-type should not be specified. In addition there is no
support for the "local" or "trans" configuration. The different commands and their syntax are listed
below.
add pass doi:<DOI>
Add a new CALIPSO/IPv6 configuration without any level or category translations.
del doi:<DOI>
Delete an existing CALIPSO/IPv6 configuration with the given DOI value. If any LSM domain
mappings are present which make use of this DOI they will also be deleted.
list [doi:<DOI>]
Display a list of all the CALIPSO/IPv6 configurations or just the configuration matching the
optionally specified DOI.
EXIT STATUS
Returns zero on success, errno values on failure.
EXAMPLES
netlabelctl cipso add pass doi:16 tags:1
Add a CIPSO/IPv4 configuration with a DOI value of "16", using CIPSO tag "1" (the permissive bitmap
tag). The CIPSO and LSM levels/categories are passed through the NetLabel subsystem without any
translation.
netlabelctl cipso add trans doi:8 tags:1 levels:0=0,1=1 categories:0=1,1=0
Add a CIPSO/IPv4 configuration with a DOI value of "8", using CIPSO tag "1" (the permissive bitmap
tag). The specified mapping converts local LSM levels "0" and "1" to CIPSO levels "0" and "1"
respectively while local LSM categories "0" and "1" are mapped to CIPSO categories "1" and "0"
respectively.
netlabelctl -p cipso list
Display all of the CIPSO/IPv4 configurations in a human readable format.
netlabelctl -p cipso list doi:16
Display specific information about the CIPSO/IPv4 DOI 16 configuration.
netlabelctl cipso del doi:8
Delete the CIPSO/IPv4 configuration assigned to DOI 8. In addition to removing the CIPSO/IPv4
configuration any domain mappings using this configuration will also be removed.
netlabelctl map add domain:lsm_domain protocol:cipso,8
Add a domain mapping so that all outgoing packets sent from the "lsm_domain" will be labeled
according to the CIPSO/IPv4 protocol using DOI 8.
netlabelctl map add domain:lsm_domain address:192.168.1.0/24 protocol:cipso,8
Add a mapping so that all outgoing packets sent from the "lsm_domain" to the 192.168.1.0/24 network
will be labeled according to the CIPSO/IPv4 protocol using DOI 8.
netlabelctl -p map list
Display all of the domain mappings in a human readable format.
netlabelctl del domain:lsm_domain
Delete the domain mapping for the "lsm_domain", packets sent from the "lsm_domain" will fallback to
the default NetLabel mapping.
netlabelctl unlbl add interface:lo address:::1 label:foo
Add a static/fallback label to assign the "foo" security label to unlabeled packets entering the
system over the "lo" (loopback) interface with an IPv6 source address of "::1" (localhost).
netlabelctl unlbl add default address:192.168.0.0/16 label:bar
Add a static/fallback label to assign the "bar" security label to unlabeled packets entering the
system over any interface with an IPv4 source address in the 192.168.0.0/16 network.
NOTES
The NetLabel subsystem is supported on Linux Kernels version 2.6.19 and later. The static, or fallback,
labels are only supported on Linux Kernels version 2.6.25 and later. The domain mapping address
selectors are only supported on Linux Kernels 2.6.28 and later and CALIPSO/RFC5570 is only supported on
Linux Kernels 4.8.0 and later.
The NetLabel project site, with more information including the source code repository, can be found at
https://github.com/netlabel. Please report any bugs at the project site or directly to the author.
AUTHOR
Paul Moore <paul@paul-moore.com>
SEE ALSO
netlabel-config(8)