@@ -1,5 +1,13 @@
# Network Labeling Statements
+- [Network Address Formats](#network-address-formats)
+ - [IPv4 Address Format](#ipv4-address-format)
+ - [IPv6 Address Formats](#ipv6-address-formats)
+- [*netifcon*](#netifcon)
+- [*nodecon*](#nodecon)
+- [*portcon*](#portcon)
+
+
The network labeling statements are used to label the following objects:
**Network interfaces** - This covers those interfaces managed by the
@@ -28,6 +36,8 @@ sid node system_u:object_r:node_t:s0 - s15:c0.c255
sid port system_u:object_r:port_t:s0
```
+## Network Address Formats
+
### IPv4 Address Format
IPv4 addresses are represented in dotted-decimal notation (four
@@ -49,34 +59,30 @@ where each group is separated by a colon ':' as follows:
To shorten the writing and presentation of addresses, the following
rules apply:
-1. Any leading zeros in a group may be replaced with a single '0' as
- shown:
+Any leading zeros in a group may be replaced with a single '0' as shown:
```
2001:db8:85a3:0:0:8a2e:370:7334
```
-2. Any leading zeros in a group may be omitted and be replaced with two
- colons '::', however this is only allowed once in an address as
- follows:
+Any leading zeros in a group may be omitted and be replaced with two
+colons '::', however this is only allowed once in an address as follows:
```
2001:db8:85a3::8a2e:370:7334
```
-3. The *localhost* (loopback) address can be written as:
+The *localhost* (loopback) address can be written as:
```
0000:0000:0000:0000:0000:0000:0000:0001
-```
Or
-```
::1
```
-4. An undetermined IPv6 address i.e. all bits are zero is written as:
+An undetermined IPv6 address i.e. all bits are zero is written as:
```
::
@@ -88,8 +94,8 @@ The *netifcon* statement is used to label network interface objects (e.g.
eth0) for peer labeling (see the
[***netif* object class**](object_classes_permissions.md#network-object-classes)).
-It is also possible to use the ***semanage**(8)* interface command to associate
-the interface to a security context.
+It is also possible to use the ***semanage**(8)* *interface* command to
+associate the interface to a security context.
**The statement definition is:**
@@ -99,54 +105,38 @@ netifcon netif_id netif_context packet_context
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>netifcon</code></td>
-<td>The <code>netifcon</code> keyword.</td>
-</tr>
-<tr>
-<td><code>netif_id</code></td>
-<td>The network interface name (e.g. eth0).</td>
-</tr>
-<tr>
-<td><code>netif_context</code></td>
-<td>The security context allocated to the network interface.</td>
-</tr>
-<tr>
-<td><code>packet_context</code></td>
-<td><p>The security context allocated packets. Note that these are defined but unused.</p>
-<p>The iptables(8)/nftables(8) <a href="network_support.md#packet-controls-secmark">SECMARK services</a> should be used to label packets.</p></td>
-</tr>
-</tbody>
-</table>
+*netifcon*
+
+The *netifcon* keyword.
+
+*netif_id*
+
+The network interface name (e.g. eth0).
+
+*netif_context*
+
+The security context allocated to the network interface.
+
+*packet_context*
+
+The security context allocated packets. Note that these are defined but unused.
+The ***iptables**(8)* / ***nft**(8)*
+[**SECMARK services**](network_support.md#packet-controls-secmark) should be
+used to label packets.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* Statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
**Example:**
@@ -165,9 +155,9 @@ semanage interface -a -t netif_t eth2
```
This command will produce the following file in the default
-<SELINUXTYPE> policy store and then activate the policy:
+\<SELINUXTYPE\> policy store and then activate the policy:
-*/var/lib/selinux/<SELINUXTYPE>/active/interfaces.local*:
+*/var/lib/selinux/\<SELINUXTYPE\>/active/interfaces.local*:
```
# This file is auto-generated by libsemanage
@@ -185,7 +175,7 @@ labeling (see the
that represent IPv4 or IPv6 IP addresses and network masks.
It is also possible to add SELinux these outside the policy using the
-***semanage**(8)* 'node' command that will associate the node to a security
+***semanage**(8)* *node* command that will associate the node to a security
context.
**The statement definition is:**
@@ -196,54 +186,37 @@ nodecon subnet netmask node_context
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>nodecon</code></td>
-<td>The <code>nodecon</code> keyword.</td>
-</tr>
-<tr>
-<td><code>subnet</code></td>
-<td><p>The subnet or specific IP address in IPv4 or IPv6 format.</p>
-<p>Note that the subnet and netmask values are used to ensure that the node_context is assigned to all IP addresses within the subnet range.</p></td>
-</tr>
-<tr>
-<td><code>netmask</code></td>
-<td>The subnet mask in IPv4 or IPv6 format.</td>
-</tr>
-<tr>
-<td><code>node_context<code></td>
-<td>The security context for the node.</td>
-</tr>
-</tbody>
-</table>
+*nodecon*
+
+The *nodecon* keyword.
+
+*subnet*
+
+The subnet or specific IP address in IPv4 or IPv6 format.
+Note that the subnet and netmask values are used to ensure that the
+*node_context* is assigned to all IP addresses within the subnet range.
+
+*netmask*
+
+The subnet mask in IPv4 or IPv6 format.
+
+*node_context*
+
+The security context for the node.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* Statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
**Examples:**
@@ -267,9 +240,9 @@ semanage node -a -t node_t -p ipv4 -M 255.255.255.255 127.0.0.2
```
This command will produce the following file in the default
-<SELINUXTYPE> policy store and then activate the policy:
+\<SELINUXTYPE\> policy store and then activate the policy:
-*/var/lib/selinux/<SELINUXTYPE>/active/nodes.local*:
+*/var/lib/selinux/\<SELINUXTYPE\>/active/nodes.local*:
```
# This file is auto-generated by libsemanage
@@ -283,7 +256,7 @@ nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0
The *portcon* statement is used to label udp, tcp, dccp or sctp ports.
It is also possible to add a security context to ports outside the
-policy using the ***semanage**(8)* 'port' command that will associate the port
+policy using the ***semanage**(8)* *port* command that will associate the port
(or range of ports) to a security context.
**The statement definition is:**
@@ -294,53 +267,35 @@ portcon protocol port_number port_context
**Where:**
-<table>
-<tbody>
-<tr>
-<td><code>portcon</code></td>
-<td>The <code>portcon</code> keyword.</td>
-</tr>
-<tr>
-<td><code>protocol</code></td>
-<td>The protocol type. Valid entries are udp, tcp or <em>dccp</em>.</td>
-</tr>
-<tr>
-<td><code>port_number</code></td>
-<td>The port number or range of ports. The ranges are separated by a hyphen (-).</td>
-</tr>
-<tr>
-<td><code>port_context</code></td>
-<td>The security context for the port or range of ports.</td>
-</tr>
-</tbody>
-</table>
+*portcon*
+
+The *portcon* keyword.
+
+*protocol*
+
+The protocol type. Valid entries are udp, tcp or dccp.
+
+*port_number*
+
+The port number or range of ports. The ranges are separated by a hyphen '-'.
+
+*port_context*
+
+The security context for the port or range of ports.
**The statement is valid in:**
-<table style="text-align:center">
-<tbody>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Monolithic Policy</strong></td>
-<td><strong>Base Policy</strong></td>
-<td><strong>Module Policy</strong></td>
-</tr>
-<tr>
-<td>Yes</td>
-<td>Yes</td>
-<td>No</td>
-</tr>
-<tr style="background-color:#D3D3D3;">
-<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
-<td><strong><code>optional</code> Statement</strong></td>
-<td><strong><code>require</code> Statement</strong></td>
-</tr>
-<tr>
-<td>No</td>
-<td>No</td>
-<td>No</td>
-</tr>
-</tbody>
-</table>
+Policy Type
+
+| Monolithic Policy | Base Policy | Module Policy |
+| ----------------------- | ----------------------- | ----------------------- |
+| Yes | Yes | No |
+
+Conditional Policy Statements
+
+| *if* Statement | *optional* Statement | *require* Statement |
+| ----------------------- | ----------------------- | ----------------------- |
+| No | No | No |
**Examples:**
@@ -361,9 +316,9 @@ semanage port -a -t reserved_port_t -p udp 1234
```
This command will produce the following file in the default
-<SELINUXTYPE> policy store and then activate the policy:
+\<SELINUXTYPE\> policy store and then activate the policy:
-*/var/lib/selinux/<SELINUXTYPE>/active/ports.local*:
+*/var/lib/selinux/\<SELINUXTYPE\>/active/ports.local*:
```
# This file is auto-generated by libsemanage
Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- src/network_statements.md | 261 ++++++++++++++++---------------------- 1 file changed, 108 insertions(+), 153 deletions(-)