netlabelctl man page on SuSE

Man page or keyword search:  
man Server   14857 pages
apropos Keyword Search (all sections)
Output format
SuSE logo
[printable version]

netlabelctl(8)		    NetLabel Documentation		netlabelctl(8)

NAME
       netlabelctl - NetLabel management utility

SYNOPSIS
       netlabelctl [<global flags>] <module> [<module commands>]

DESCRIPTION
       The NetLabel management utility, netlabelctl, is a command line program
       designed to allow system administrators to configure the NetLabel  sys‐
       tem  in	the  kernel.   The utility is based around different "modules"
       which correspond to the different types of NetLabel commands  supported
       by the kernel.

OPTIONS
   Global Flags
       -h   Help message

       -p   Attempt to make the output human readable or "pretty"

       -t <seconds>
	    Set	 a  timeout to be used when waiting for the NetLabel subsystem
	    to respond

       -v   Enable extra output

       -V   Display the version information

   Modules and Commands
       mgmt

       The management module is used to perform general queries about the Net‐
       Label  subsystem	 within	 the kernel.  The different commands and their
       syntax are listed below.

       version
	      Display the kernel's NetLabel management protocol version.

       protocols
	      Display the kernel's list of supported labeling protocols.

       map

       The domain mapping module is used to map	 different  NetLabel  labeling
       protocols  to  either individual LSM domains or the default domain map‐
       ping.  It is up to each LSM to determine what defines a	domain.	  With
       SELinux,	 the  normal SELinux domain should be used, i.e. "ping_t".  In
       addition to protocol selection based only on the LSM domain, it is also
       possible	 to  select the labeling protocol based on both the LSM domain
       and destination address.	 The network  address  selectors  can  specify
       either single hosts or entire networks and work for both IPv4 and IPv6,
       although the labeling protocol chosen must support the IP version  cho‐
       sen.   When  specifying	the  labeling protocol to use for each mapping
       there is an optional "extra" field which is used	 to  further  identify
       the  specific  labeling	protocol  configuration.   When specifying the
       unlabeled protocol, "unlbl", there is no extra  identification  needed.
       When  specifying	 the  CIPSO/IPv4  protocol,  "cipsov4",	 the DOI value
       should be specified; see the EXAMPLES section for details.  The differ‐
       ent commands and their syntax are listed below.

       add  default|domain:<domain> [address:<ADDR>[/<MASK>]] protocol:<proto‐
	      col>[,<extra>]
	      Add a new LSM domain / network address to NetLabel protocol map‐
	      ping.

       del default|domain:<domain>
	      Delete an existing LSM domain to NetLabel protocol mapping.

       list
	      Display  all  of	the configured LSM domain to NetLabel protocol
	      mappings.

       unlbl

       The unlabeled (unlbl) module controls the unlabeled protocol  which  is
       used both when labeling outgoing traffic is not desired as well as when
       unlabeled traffic is received by the system.  This module allows admin‐
       istrators  to  block  all unlabeled packets from the system through the
       "accept" flag and assign static, or fallback, security labels to	 unla‐
       beled  traffic  based  on  the  inbound	network	 interface  and source
       address.

       accept on|off
	      Toggle the unlabeled traffic accept flag.

       add default|interface:<dev> address:<addr>[/<mask>] label:<label>
	      Add a new static/fallback entry.

       del default|interface:<dev> address:<addr>[/<mask>]
	      Delete an existing static/fallback entry.

       list
	      Display the status of the unlabeled accept flag.

       cipsov4

       The CIPSO/IPv4 (cipsov4) module controls the CIPSO/IPv4 labeling engine
       in  the	kernel.	  The  CIPSO/IPv4 engine provided by NetLabel supports
       multiple Domains Of Interpretation  (DOI)  and  the  CIPSO/IPv4	module
       allows for different configurations for each DOI.  At present there are
       three types of configurations, the "trans" configuration	 which	allows
       on-the-fly translation of MLS sensitivity labels, the "pass" configura‐
       tion which does not perform any	translation  of	 the  MLS  sensitivity
       label and the "local" configuration which conveys the full LSM security
       label over localhost/loopback connections.  Regardless of which config‐
       uration type is chosen a DOI value must be specified and if the "trans"
       or "pass" configurations are specified then a list  of  the  CIPSO/IPv4
       tag types to use when generating the CIPSO/IPv4 packet labels must also
       be specified.  The list of CIPSO/IPv4 tags is ordered  such  that  when
       possible	 the  first tag type listed is used when a CIPSO/IPv4 label is
       generated.  However, if it is not possible to use the  first  tag  type
       then  each  tag type is checked, in order, until a suitable tag type is
       found.  If a valid tag type can not be found then the operation causing
       the  CIPSO/IPv4	label  will fail, typically this occurs whenever a new
       socket is created.  The different commands and their syntax are	listed
       below.

       add trans doi:<DOI> tags:<T1>,<Tn> levels:<LL1>=<RL1>,<LLn>=<RLn> cate‐
	      gories:<LC1>=<RC1>,<LCn>=<RCn>
	      Add a new CIPSO/IPv4 configuration using the standard/translated
	      mapping  with  the  given	 level and category translations.  The
	      levels are translated in such a way that the local  level	 "LLn"
	      is  translated  to  the  remote, on-the-wire level of "RLn"; the
	      reverse translation is done  for	incoming  packets.   The  same
	      translation  is  done  for the categories using "LCn" and "RCn".
	      In order for a packet to be accepted, or a socket created by  an
	      application,  there  must	 be  a translation for the sensitivity
	      level and all the categories  present  in	 the  MLS  sensitivity
	      label;  if  the  entire  requested  sensitivity label can not be
	      translated the application will fail.

       add pass doi:<DOI> tags:<T1>,<Tn>
	      Add a new CIPSO/IPv4 configuration without any level or category
	      translations.

       add local doi:<DOI>
	      Add  a  new CIPSO/IPv4 configuration for localhost/loopback con‐
	      nections.

       del doi:<DOI>
	      Delete an existing CIPSO/IPv4 configuration with the  given  DOI
	      value.  If any LSM domain mappings are present which make use of
	      this DOI they will also be deleted.

       list [doi:<DOI>]
	      Display a list of all the CIPSO/IPv4 configurations or just  the
	      configuration matching the optionally specified DOI.

EXAMPLES
       netlabelctl cipsov4 add pass doi:16 tags:1
	    Add	 a  CIPSO/IPv4	configuration  with a DOI value of "16", using
	    CIPSO tag "1" (the permissive bitmap tag).	The CIPSO and LSM lev‐
	    els/categories  are	 passed through the NetLabel subsystem without
	    any translation.

       netlabelctl  cipsov4  add  trans	 doi:8	tags:1	levels:0=0,1=1	 cate‐
	    gories:0=1,1=0
	    Add	 a  CIPSO/IPv4	configuration  with  a DOI value of "8", using
	    CIPSO tag "1" (the permissive bitmap tag).	The specified  mapping
	    converts  local LSM levels "0" and "1" to CIPSO levels "0" and "1"
	    respectively while local LSM categories "0" and "1" are mapped  to
	    CIPSO categories "1" and "0" respectively.

       netlabelctl -p cipsov4 list
	    Display  all  of the CIPSO/IPv4 configurations in a human readable
	    format.

       netlabelctl -p cipsov4 list doi:16
	    Display specific information about the CIPSO/IPv4 DOI 16  configu‐
	    ration.

       netlabelctl cipsov4 del doi:8
	    Delete  the	 CIPSO/IPv4 configuration assigned to DOI 8.  In addi‐
	    tion to removing the CIPSO/IPv4 configuration any domain  mappings
	    using this configuration will also be removed.

       netlabelctl map add domain:lsm_domain protocol:cipsov4,8
	    Add	 a  domain  mapping so that all outgoing packets sent from the
	    "lsm_domain" will be labeled according to the CIPSO/IPv4  protocol
	    using DOI 8.

       netlabelctl  map	 add  domain:lsm_domain	 address:192.168.1.0/24 proto‐
	    col:cipsov4,8
	    Add	 a  mapping  so	 that  all  outgoing  packets  sent  from  the
	    "lsm_domain" to the 192.168.1.0/24 network will be labeled accord‐
	    ing to the CIPSO/IPv4 protocol using DOI 8.

       netlabelctl -p map list
	    Display all of the domain mappings in a human readable format.

       netlabelctl del domain:lsm_domain
	    Delete the domain mapping for the "lsm_domain", packets sent  from
	    the "lsm_domain" will fallback to the default NetLabel mapping.

       netlabelctl unlbl add interface:lo address:::1 label:foo
	    Add	 a static/fallback label to assign the "foo" security label to
	    unlabeled packets entering the system  over	 the  "lo"  (loopback)
	    interface with an IPv6 source address of "::1" (localhost).

       netlabelctl unlbl add default address:192.168.0.0/16 label:bar
	    Add	 a static/fallback label to assign the "bar" security label to
	    unlabeled packets entering the system over any interface  with  an
	    IPv4 source address in the 192.168.0.0/16 network.

NOTES
       The NetLabel subsystem is supported on Linux Kernels version 2.6.19 and
       later.  The static, or fallback, labels are  only  supported  on	 Linux
       Kernels version 2.6.25 and later.  The domain mapping address selectors
       are only supported on Linux Kernels 2.6.28 and later.

       The NetLabel project site, with more information including  the	source
       code respository, can be found at http://netlabel.sf.net.  This program
       is currently under development, please report any bugs at  the  project
       site or directly to the author.

AUTHOR
       Paul Moore <paul.moore@hp.com>

SEE ALSO
       <other pages to be created at a future date>

paul.moore@hp.com	       18 December 2008			netlabelctl(8)
[top]

List of man pages available for SuSE

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net