From e47a8d1cd4903286a3d92f852ec6be5e62a40f0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Fri, 24 May 2024 17:56:23 +0200 Subject: [PATCH] network_stmt: add CIDR notation support for nodecon MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added in checkpolicy 3.7[1]. [1]: https://github.com/SELinuxProject/selinux/commit/804e52b7f8a3c8649615211a961ef8189fe73f39 Signed-off-by: Christian Göttsche Acked-by: Daniel Burgener --- src/network_statements.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/network_statements.md b/src/network_statements.md index 8ba411e..02b1618 100644 --- a/src/network_statements.md +++ b/src/network_statements.md @@ -178,10 +178,14 @@ It is also possible to add SELinux these outside the policy using the ***semanage**(8)* *node* command that will associate the node to a security context. +Since ***checkpolicy**(8)* 3.7 the subnet and netmask can be specified together +by using the Classless Inter-Domain Routing (CIDR) notation. + **The statement definition is:** ``` nodecon subnet netmask node_context +nodecon cidr_address node_context ``` **Where:** @@ -200,6 +204,11 @@ Note that the subnet and netmask values are used to ensure that the The subnet mask in IPv4 or IPv6 format. +*cidr_address* + +The IP address in CIDR notation, consisting of a IPv4 or IPv6 address, and the +netmask as a number of leading bits, joined by a slash ('/'). + *node_context* The security context for the node. @@ -224,6 +233,7 @@ Conditional Policy Statements # The MLS policy nodecon statement using an IPv4 address: nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 - s15:c0.c255 +nodecon 127.0.0.1/32 system_u:object_r:lo_node_t:s0 - s15:c0.c255 ``` ``` @@ -231,6 +241,7 @@ nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 - s15:c0.c255 # using an IPv6 address: nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 - s15:c0.c255 +nodecon ff00::/8 system_u:object_r:multicast_node_t:s0 - s15:c0.c255 ``` ***semanage**(8)* **Command example:**