Network Labeling Statements

ipaddr

Declares a named IP address in IPv4 or IPv6 format that may be referenced by other CIL statements (i.e. netifcon).

Notes:

  • CIL statements utilising an IP address may reference a named IP address or use an anonymous address, the examples will show each option.

  • IP Addresses may be declared without a previous declaration by either writing them directly e.g. 127.0.0.11 or ::1or by enclosing within parentheses e.g.(127.0.0.1)or(::1)`.

Statement definition:

    (ipaddr ipaddr_id ip_address)

Where:

Example:

This example declares a named IP address and also passes an ‘explicit anonymously declared’ IP address to a macro:

    (ipaddr netmask_1 255.255.255.0)
    (context netlabel_1 (system.user object_r unconfined.object low_low))

    (call build_nodecon ((192.168.1.64) netmask_1))

    (macro build_nodecon ((ipaddr ARG1) (ipaddr ARG2))
        (nodecon ARG1 ARG2  netlabel_1))

netifcon

Label network interface objects (e.g. eth0).

Statement definition:

    (netifcon netif_name netif_context_id packet_context_id)

Where:

Examples:

These examples show named and anonymous netifcon statements:

    (context context_1 (unconfined.user object_r unconfined.object low_low))
    (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2)))

    (netifcon eth0 context_1 (unconfined.user object_r unconfined.object levelrange_1))
    (netifcon eth1 context_1 (unconfined.user object_r unconfined.object ((s0) level_1)))
    (netifcon eth3 context_1 context_2)

nodecon

Label network address objects that represent IPv4 or IPv6 IP addresses and network masks.

IP Addresses may be declared without a previous declaration by either writing them directly e.g. 127.0.0.11 or ::1or by enclosing within parentheses e.g.(127.0.0.1)or(::1)`.

Statement definition:

    (nodecon subnet_id netmask_id context_id)

Where:

Examples:

These examples show named and anonymous nodecon statements:

    (context context_1 (unconfined.user object_r unconfined.object low_low))
    (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2)))

    (ipaddr netmask_1 255.255.255.255)
    (ipaddr ipv4_1 192.0.2.64)

    (nodecon ipv4_1 netmask_1 context_2)
    (nodecon 192.0.2.64 255.255.255.255 context_1)
    (nodecon (192.0.2.64) netmask_1 (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))

    (context context_3 (sys.id sys.role my48prefix.node ((s0)(s0))))

    (ipaddr netmask_2 ffff:ffff:ffff:0:0:0:0:0)
    (ipaddr ipv6_2  2001:db8:1:0:0:0:0:0)

    (nodecon ipv6_2 netmask_2 context_3)
    (nodecon (2001:db8:1:0:0:0:0:0) (ffff:ffff:ffff:0:0:0:0:0) context_3)
    (nodecon (2001:db8:1:0:0:0:0:0) netmask_2 (sys.id sys.role my48prefix.node ((s0)(s0))))

portcon

Label a udp, tcp, dccp or sctp port.

Statement definition:

    (portcon protocol port|(port_low port_high) context_id)

Where:

Examples:

These examples show named and anonymous portcon statements:

    (portcon tcp 1111 (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))
    (portcon tcp 2222 (unconfined.user object_r unconfined.object levelrange_2))
    (portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
    (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
    (portcon tcp (2000 20000) (unconfined.user object_r unconfined.object (systemlow level_3)))
    (portcon dccp (6840 6880) (unconfined.user object_r unconfined.object ((s0) level_2)))
    (portcon sctp (1024 1035) (unconfined.user object_r unconfined.object ((s0) level_2)))