NAME
netlabelctl - NetLabel management utilitySYNOPSIS
netlabelctl [<global_flags>] <module> [<module_commands>]DESCRIPTION
The NetLabel management utility, netlabelctl, is a command line program designed to allow system administrators to configure the NetLabel system in the kernel. The utility is based around different "modules" which correspond to the different types of NetLabel commands supported by the kernel.OPTIONS
Global Flags
- -h
- Help message
- -p
- Attempt to make the output human readable or "pretty"
- -t <seconds>
- Set a timeout to be used when waiting for the NetLabel subsystem to respond
- -v
- Enable extra output
- -V
- Display the version information
Modules and Commands
- mgmt
version
Display the kernel's NetLabel management protocol version.
protocols
Display the kernel's list of supported labeling protocols.
- map
add
default|domain:<domain> [address:<ADDR>[/<MASK>]]
protocol:<protocol>[,<extra>]
Add a new LSM domain / network address to NetLabel protocol mapping.
del
default|domain:<domain>
Delete an existing LSM domain to NetLabel protocol mapping.
list
Display all of the configured LSM domain to NetLabel protocol mappings.
- unlbl
accept
on|off
Toggle the unlabeled traffic accept flag.
add
default|interface:<dev> address:<addr>[/<mask>]
label:<label>
Add a new static/fallback entry.
del
default|interface:<dev> address:<addr>[/<mask>]
Delete an existing static/fallback entry.
list
Display the status of the unlabeled accept flag.
- cipso
add trans
doi:<DOI> tags:<T1>,<Tn>
levels:<LL1>=<RL1>,<LLn>=<RLn>
categories:<LC1>=<RC1>,<LCn>=<RCn>
Add a new CIPSO/IPv4 configuration using the standard/translated mapping with
the given level and category translations. The levels are translated in such a
way that the local level "LLn" is translated to the remote,
on-the-wire level of "RLn"; the reverse translation is done for
incoming packets. The same translation is done for the categories using
"LCn" and "RCn". In order for a packet to be accepted, or
a socket created by an application, there must be a translation for the
sensitivity level and all the categories present in the MLS sensitivity label;
if the entire requested sensitivity label can not be translated the
application will fail.
add pass
doi:<DOI> tags:<T1>,<Tn>
Add a new CIPSO/IPv4 configuration without any level or category
translations.
add local
doi:<DOI>
Add a new CIPSO/IPv4 configuration for localhost/loopback connections.
del
doi:<DOI>
Delete an existing CIPSO/IPv4 configuration with the given DOI value. If any LSM
domain mappings are present which make use of this DOI they will also be
deleted.
list
[doi:<DOI>]
Display a list of all the CIPSO/IPv4 configurations or just the configuration
matching the optionally specified DOI.
- calipso
add pass
doi:<DOI>
Add a new CALIPSO/IPv6 configuration without any level or category
translations.
del
doi:<DOI>
Delete an existing CALIPSO/IPv6 configuration with the given DOI value. If any
LSM domain mappings are present which make use of this DOI they will also be
deleted.
list
[doi:<DOI>]
Display a list of all the CALIPSO/IPv6 configurations or just the configuration
matching the optionally specified DOI.
EXIT STATUS
Returns zero on success, errno values on failure.EXAMPLES
- netlabelctl cipso add pass doi:16 tags:1
-
netlabelctl
cipso add trans doi:8 tags:1 levels:0=0,1=1 categories:0=1,1=0
Add a CIPSO/IPv4 configuration with a DOI value of "8", using CIPSO
tag "1" (the permissive bitmap tag). The specified mapping converts
local LSM levels "0" and "1" to CIPSO levels "0"
and "1" respectively while local LSM categories "0" and
"1" are mapped to CIPSO categories "1" and "0"
respectively.
netlabelctl
-p cipso list
Display all of the CIPSO/IPv4 configurations in a human readable format.
netlabelctl
-p cipso list doi:16
Display specific information about the CIPSO/IPv4 DOI 16 configuration.
netlabelctl
cipso del doi:8
Delete the CIPSO/IPv4 configuration assigned to DOI 8. In addition to removing
the CIPSO/IPv4 configuration any domain mappings using this configuration will
also be removed.
netlabelctl
map add domain:lsm_domain protocol:cipso,8
Add a domain mapping so that all outgoing packets sent from the
"lsm_domain" will be labeled according to the CIPSO/IPv4 protocol
using DOI 8.
netlabelctl
map add domain:lsm_domain address:192.168.1.0/24 protocol:cipso,8
Add a mapping so that all outgoing packets sent from the "lsm_domain"
to the 192.168.1.0/24 network will be labeled according to the CIPSO/IPv4
protocol using DOI 8.
netlabelctl
-p map list
Display all of the domain mappings in a human readable format.
netlabelctl
del domain:lsm_domain
Delete the domain mapping for the "lsm_domain", packets sent from the
"lsm_domain" will fallback to the default NetLabel mapping.
netlabelctl
unlbl add interface:lo address:::1 label:foo
Add a static/fallback label to assign the "foo" security label to
unlabeled packets entering the system over the "lo" (loopback)
interface with an IPv6 source address of "::1" (localhost).
netlabelctl
unlbl add default address:192.168.0.0/16 label:bar
Add a static/fallback label to assign the "bar" security label to
unlabeled packets entering the system over any interface with an IPv4 source
address in the 192.168.0.0/16 network.
NOTES
The NetLabel subsystem is supported on Linux Kernels version 2.6.19 and later. The static, or fallback, labels are only supported on Linux Kernels version 2.6.25 and later. The domain mapping address selectors are only supported on Linux Kernels 2.6.28 and later and CALIPSO/RFC5570 is only supported on Linux Kernels 4.8.0 and later. The NetLabel project site, with more information including the source code repository, can be found at https://github.com/netlabel. Please report any bugs at the project site or directly to the author.AUTHOR
Paul Moore <[email protected]>SEE ALSO
netlabel-config(8)31 May 2013 | [email protected] |