Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> --- src/network_statements.md | 261 ++++++++++++++++---------------------- 1 file changed, 108 insertions(+), 153 deletions(-) diff --git a/src/network_statements.md b/src/network_statements.md index a1e3b88..8ba411e 100644 --- a/src/network_statements.md +++ b/src/network_statements.md @@ -1,5 +1,13 @@ # Network Labeling Statements +- [Network Address Formats](#network-address-formats) + - [IPv4 Address Format](#ipv4-address-format) + - [IPv6 Address Formats](#ipv6-address-formats) +- [*netifcon*](#netifcon) +- [*nodecon*](#nodecon) +- [*portcon*](#portcon) + + The network labeling statements are used to label the following objects: **Network interfaces** - This covers those interfaces managed by the @@ -28,6 +36,8 @@ sid node system_u:object_r:node_t:s0 - s15:c0.c255 sid port system_u:object_r:port_t:s0 ``` +## Network Address Formats + ### IPv4 Address Format IPv4 addresses are represented in dotted-decimal notation (four @@ -49,34 +59,30 @@ where each group is separated by a colon ':' as follows: To shorten the writing and presentation of addresses, the following rules apply: -1. Any leading zeros in a group may be replaced with a single '0' as - shown: +Any leading zeros in a group may be replaced with a single '0' as shown: ``` 2001:db8:85a3:0:0:8a2e:370:7334 ``` -2. Any leading zeros in a group may be omitted and be replaced with two - colons '::', however this is only allowed once in an address as - follows: +Any leading zeros in a group may be omitted and be replaced with two +colons '::', however this is only allowed once in an address as follows: ``` 2001:db8:85a3::8a2e:370:7334 ``` -3. The *localhost* (loopback) address can be written as: +The *localhost* (loopback) address can be written as: ``` 0000:0000:0000:0000:0000:0000:0000:0001 -``` Or -``` ::1 ``` -4. An undetermined IPv6 address i.e. all bits are zero is written as: +An undetermined IPv6 address i.e. all bits are zero is written as: ``` :: @@ -88,8 +94,8 @@ The *netifcon* statement is used to label network interface objects (e.g. eth0) for peer labeling (see the [***netif* object class**](object_classes_permissions.md#network-object-classes)). -It is also possible to use the ***semanage**(8)* interface command to associate -the interface to a security context. +It is also possible to use the ***semanage**(8)* *interface* command to +associate the interface to a security context. **The statement definition is:** @@ -99,54 +105,38 @@ netifcon netif_id netif_context packet_context **Where:** -<table> -<tbody> -<tr> -<td><code>netifcon</code></td> -<td>The <code>netifcon</code> keyword.</td> -</tr> -<tr> -<td><code>netif_id</code></td> -<td>The network interface name (e.g. eth0).</td> -</tr> -<tr> -<td><code>netif_context</code></td> -<td>The security context allocated to the network interface.</td> -</tr> -<tr> -<td><code>packet_context</code></td> -<td><p>The security context allocated packets. Note that these are defined but unused.</p> -<p>The iptables(8)/nftables(8) <a href="network_support.md#packet-controls-secmark">SECMARK services</a> should be used to label packets.</p></td> -</tr> -</tbody> -</table> +*netifcon* + +The *netifcon* keyword. + +*netif_id* + +The network interface name (e.g. eth0). + +*netif_context* + +The security context allocated to the network interface. + +*packet_context* + +The security context allocated packets. Note that these are defined but unused. +The ***iptables**(8)* / ***nft**(8)* +[**SECMARK services**](network_support.md#packet-controls-secmark) should be +used to label packets. **The statement is valid in:** -<table style="text-align:center"> -<tbody> -<tr style="background-color:#D3D3D3;"> -<td><strong>Monolithic Policy</strong></td> -<td><strong>Base Policy</strong></td> -<td><strong>Module Policy</strong></td> -</tr> -<tr> -<td>Yes</td> -<td>Yes</td> -<td>No</td> -</tr> -<tr style="background-color:#D3D3D3;"> -<td><strong>Conditional Policy <code>if</code> Statement</strong></td> -<td><strong><code>optional</code> Statement</strong></td> -<td><strong><code>require</code> Statement</strong></td> -</tr> -<tr> -<td>No</td> -<td>No</td> -<td>No</td> -</tr> -</tbody> -</table> +Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Example:** @@ -165,9 +155,9 @@ semanage interface -a -t netif_t eth2 ``` This command will produce the following file in the default -<SELINUXTYPE> policy store and then activate the policy: +\<SELINUXTYPE\> policy store and then activate the policy: -*/var/lib/selinux/<SELINUXTYPE>/active/interfaces.local*: +*/var/lib/selinux/\<SELINUXTYPE\>/active/interfaces.local*: ``` # This file is auto-generated by libsemanage @@ -185,7 +175,7 @@ labeling (see the that represent IPv4 or IPv6 IP addresses and network masks. It is also possible to add SELinux these outside the policy using the -***semanage**(8)* 'node' command that will associate the node to a security +***semanage**(8)* *node* command that will associate the node to a security context. **The statement definition is:** @@ -196,54 +186,37 @@ nodecon subnet netmask node_context **Where:** -<table> -<tbody> -<tr> -<td><code>nodecon</code></td> -<td>The <code>nodecon</code> keyword.</td> -</tr> -<tr> -<td><code>subnet</code></td> -<td><p>The subnet or specific IP address in IPv4 or IPv6 format.</p> -<p>Note that the subnet and netmask values are used to ensure that the node_context is assigned to all IP addresses within the subnet range.</p></td> -</tr> -<tr> -<td><code>netmask</code></td> -<td>The subnet mask in IPv4 or IPv6 format.</td> -</tr> -<tr> -<td><code>node_context<code></td> -<td>The security context for the node.</td> -</tr> -</tbody> -</table> +*nodecon* + +The *nodecon* keyword. + +*subnet* + +The subnet or specific IP address in IPv4 or IPv6 format. +Note that the subnet and netmask values are used to ensure that the +*node_context* is assigned to all IP addresses within the subnet range. + +*netmask* + +The subnet mask in IPv4 or IPv6 format. + +*node_context* + +The security context for the node. **The statement is valid in:** -<table style="text-align:center"> -<tbody> -<tr style="background-color:#D3D3D3;"> -<td><strong>Monolithic Policy</strong></td> -<td><strong>Base Policy</strong></td> -<td><strong>Module Policy</strong></td> -</tr> -<tr> -<td>Yes</td> -<td>Yes</td> -<td>No</td> -</tr> -<tr style="background-color:#D3D3D3;"> -<td><strong>Conditional Policy <code>if</code> Statement</strong></td> -<td><strong><code>optional</code> Statement</strong></td> -<td><strong><code>require</code> Statement</strong></td> -</tr> -<tr> -<td>No</td> -<td>No</td> -<td>No</td> -</tr> -</tbody> -</table> +Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Examples:** @@ -267,9 +240,9 @@ semanage node -a -t node_t -p ipv4 -M 255.255.255.255 127.0.0.2 ``` This command will produce the following file in the default -<SELINUXTYPE> policy store and then activate the policy: +\<SELINUXTYPE\> policy store and then activate the policy: -*/var/lib/selinux/<SELINUXTYPE>/active/nodes.local*: +*/var/lib/selinux/\<SELINUXTYPE\>/active/nodes.local*: ``` # This file is auto-generated by libsemanage @@ -283,7 +256,7 @@ nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0 The *portcon* statement is used to label udp, tcp, dccp or sctp ports. It is also possible to add a security context to ports outside the -policy using the ***semanage**(8)* 'port' command that will associate the port +policy using the ***semanage**(8)* *port* command that will associate the port (or range of ports) to a security context. **The statement definition is:** @@ -294,53 +267,35 @@ portcon protocol port_number port_context **Where:** -<table> -<tbody> -<tr> -<td><code>portcon</code></td> -<td>The <code>portcon</code> keyword.</td> -</tr> -<tr> -<td><code>protocol</code></td> -<td>The protocol type. Valid entries are udp, tcp or <em>dccp</em>.</td> -</tr> -<tr> -<td><code>port_number</code></td> -<td>The port number or range of ports. The ranges are separated by a hyphen (-).</td> -</tr> -<tr> -<td><code>port_context</code></td> -<td>The security context for the port or range of ports.</td> -</tr> -</tbody> -</table> +*portcon* + +The *portcon* keyword. + +*protocol* + +The protocol type. Valid entries are udp, tcp or dccp. + +*port_number* + +The port number or range of ports. The ranges are separated by a hyphen '-'. + +*port_context* + +The security context for the port or range of ports. **The statement is valid in:** -<table style="text-align:center"> -<tbody> -<tr style="background-color:#D3D3D3;"> -<td><strong>Monolithic Policy</strong></td> -<td><strong>Base Policy</strong></td> -<td><strong>Module Policy</strong></td> -</tr> -<tr> -<td>Yes</td> -<td>Yes</td> -<td>No</td> -</tr> -<tr style="background-color:#D3D3D3;"> -<td><strong>Conditional Policy <code>if</code> Statement</strong></td> -<td><strong><code>optional</code> Statement</strong></td> -<td><strong><code>require</code> Statement</strong></td> -</tr> -<tr> -<td>No</td> -<td>No</td> -<td>No</td> -</tr> -</tbody> -</table> +Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | No | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| No | No | No | **Examples:** @@ -361,9 +316,9 @@ semanage port -a -t reserved_port_t -p udp 1234 ``` This command will produce the following file in the default -<SELINUXTYPE> policy store and then activate the policy: +\<SELINUXTYPE\> policy store and then activate the policy: -*/var/lib/selinux/<SELINUXTYPE>/active/ports.local*: +*/var/lib/selinux/\<SELINUXTYPE\>/active/ports.local*: ``` # This file is auto-generated by libsemanage -- 2.26.2
