diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-06-22 15:28:46 +0200 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-06-22 15:34:26 +0200 |
| commit | a32badc5a6c3f1bbf27250a12830908bd0fd20e8 (patch) | |
| tree | fdbecf1fc3583890b8b744057ecec16c9091acd6 /man | |
| parent | Revert NFTSet feature (diff) | |
| download | systemd-a32badc5a6c3f1bbf27250a12830908bd0fd20e8.tar.xz systemd-a32badc5a6c3f1bbf27250a12830908bd0fd20e8.zip | |
Revert "networkd: NetLabel integration"
This reverts PR #23269 and its follow-up commit. Especially,
2299b1cae32c1fb8911da0ce26efced68032f4f8 (partially), and
3cf63830acdef9d8afdc9ef1cf25aa7e85a5e4d5.
The PR was merged without final approval, and has several issues:
- The NetLabel for static addresses are not assigned, as labels are
stored in the Address objects managed by Network, instead of Link.
- If NetLabel is specified for a static address, then the address
section will be invalid and the address will not be configured,
- It should be implemented with Request object,
- There is no test about the feature.
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd.network.xml | 54 |
1 files changed, 0 insertions, 54 deletions
diff --git a/man/systemd.network.xml b/man/systemd.network.xml index da19d98c46..c2ce1b1d69 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1109,38 +1109,6 @@ Table=1234</programlisting></para> Defaults to <literal>no</literal>.</para> </listitem> </varlistentry> - - <varlistentry> - <term><varname>NetLabel=</varname><replaceable>label</replaceable></term> - <listitem> - - <para>This setting provides a method for integrating dynamic network configuration into Linux - NetLabel subsystem rules, used by Linux security modules (LSMs) for network access control. The - option expects a whitespace separated list of NetLabel labels. The labels must conform to lexical - restrictions of LSM labels. When an interface is configured with IP addresses, the addresses and - subnetwork masks will be appended to the NetLabel Fallback Peer Labeling rules. They will be - removed when the interface is deconfigured. Failures to manage the labels will be ignored.</para> - - <para>Warning: Once labeling is enabled for network traffic, a lot of LSM access control points in - Linux networking stack go from dormant to active. It is easy for someone not familiar with the LSM - per-packet access controls to get into a situation where for example remote connectivity is - broken. Also note that additional configuration with <citerefentry - project='man-pages'><refentrytitle>netlabelctl</refentrytitle><manvolnum>8</manvolnum></citerefentry> - is needed.</para> - - <para>Example: - <programlisting>[Address] -NetLabel=system_u:object_r:localnet_peer_t:s0</programlisting> - - With the example rules applying for interface <literal>eth0</literal>, when the interface is - configured with an IPv4 address of 10.0.0.0/8, <command>systemd-networkd</command> performs the - equivalent of <command>netlabelctl</command> operation - - <programlisting>netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0</programlisting> - - and the reverse operation when the IPv4 address is deconfigured.</para> - </listitem> - </varlistentry> </variablelist> </refsect1> @@ -2082,13 +2050,6 @@ NetLabel=system_u:object_r:localnet_peer_t:s0</programlisting> <ulink url="https://tools.ietf.org/html/rfc5227">RFC 5227</ulink>. Defaults to false.</para> </listitem> </varlistentry> - - <varlistentry> - <term><varname>NetLabel=</varname></term> - <listitem> - <para>As in [Address] section.</para> - </listitem> - </varlistentry> </variablelist> </refsect1> @@ -2202,7 +2163,6 @@ NetLabel=system_u:object_r:localnet_peer_t:s0</programlisting> <term><varname>UseNTP=</varname></term> <term><varname>UseHostname=</varname></term> <term><varname>UseDomains=</varname></term> - <term><varname>NetLabel=</varname></term> <listitem> <para>As in the [DHCPv4] section.</para> </listitem> @@ -2304,13 +2264,6 @@ NetLabel=system_u:object_r:localnet_peer_t:s0</programlisting> </para> </listitem> </varlistentry> - - <varlistentry> - <term><varname>NetLabel=</varname></term> - <listitem> - <para>As in [Address] section.</para> - </listitem> - </varlistentry> </variablelist> </refsect1> @@ -2568,13 +2521,6 @@ Token=prefixstable:2002:da8:1::</programlisting></para> specified. Defaults to true.</para> </listitem> </varlistentry> - - <varlistentry> - <term><varname>NetLabel=</varname></term> - <listitem> - <para>As in [Address] section.</para> - </listitem> - </varlistentry> </variablelist> </refsect1> |