network_stmt: add CIDR notation support for nodecon

Added in checkpolicy 3.7[1]. [1]: SELinuxProject/selinux@804e52b Signed-off-by: Christian Göttsche <[email protected]> Acked-by: Daniel Burgener <[email protected]>
SELinuxProject · Jul 23, 2024 · e47a8d1 · e47a8d1
1 parent f62032a
commit e47a8d1
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/src/network_statements.md b/src/network_statements.md
@@ -178,10 +178,14 @@ It is also possible to add SELinux these outside the policy using the
 ***semanage**(8)* *node* command that will associate the node to a security
 context.
 
+Since ***checkpolicy**(8)* 3.7 the subnet and netmask can be specified together
+by using the Classless Inter-Domain Routing (CIDR) notation.
+
 **The statement definition is:**
 
 ```
 nodecon subnet netmask node_context
+nodecon cidr_address node_context
 ```
 
 **Where:**
@@ -200,6 +204,11 @@ Note that the subnet and netmask values are used to ensure that the
 
 The subnet mask in IPv4 or IPv6 format.
 
+*cidr_address*
+
+The IP address in CIDR notation, consisting of a IPv4 or IPv6 address, and the
+netmask as a number of leading bits, joined by a slash ('/').
+
 *node_context*
 
 The security context for the node.
@@ -224,13 +233,15 @@ Conditional Policy Statements
 # The MLS policy nodecon statement using an IPv4 address:
 
 nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 - s15:c0.c255
+nodecon 127.0.0.1/32              system_u:object_r:lo_node_t:s0 - s15:c0.c255
 ```
 
 ```
 # The MLS policy nodecon statement for the multicast address
 # using an IPv6 address:
 
 nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 - s15:c0.c255
+nodecon ff00::/8      system_u:object_r:multicast_node_t:s0 - s15:c0.c255
 ```
 
 ***semanage**(8)* **Command example:**