|
Packit |
51d0f7 |
NetLabel Tools: A Library and Management Tool for the Linux NetLabel Subsystem
|
|
Packit |
51d0f7 |
==============================================================================
|
|
Packit |
51d0f7 |
https://github.com/netlabel/netlabel_tools
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
* Online Resources
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
The library source repository currently lives on GitHub at the following URL:
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
-> https://github.com/netlabel/netlabel_tools
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
The project mailing list is currently hosted on Google Groups at the URL below,
|
|
Packit |
51d0f7 |
please note that a Google account is not required to subscribe to the mailing
|
|
Packit |
51d0f7 |
list.
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
-> https://groups.google.com/d/forum/netlabel
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
* Documentation
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
The "doc/" directory contains all of the currently available documentation,
|
|
Packit |
51d0f7 |
mostly in the form of manpages. The top level directory also contains a README
|
|
Packit |
51d0f7 |
file (this file) as well as the LICENSE, SUBMITTING_PATCHES, and CHANGELOG
|
|
Packit |
51d0f7 |
files.
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
Those who are interested in contributing to the the project are encouraged to
|
|
Packit |
51d0f7 |
read the SUBMITTING_PATCHES in the top level directory.
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
* Building and Installing
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
If you are building the NetLabel tools package from an official release
|
|
Packit |
51d0f7 |
tarball, you should follow the familiar three step process used by most
|
|
Packit |
51d0f7 |
autotools based applications:
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# ./configure
|
|
Packit |
51d0f7 |
# make [V=0|1]
|
|
Packit |
51d0f7 |
# make install
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
However, if you are building the library from sources retrieved from the source
|
|
Packit |
51d0f7 |
repository you may need to run the autogen.sh script before running configure.
|
|
Packit |
51d0f7 |
In both cases, running "./configure -h" will display a list of build-time
|
|
Packit |
51d0f7 |
configuration options.
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
* NetLabel Configuration Quick Start
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
This section assumes you are already running a kernel with NetLabel support,
|
|
Packit |
51d0f7 |
if you are not please configure your kernel for NetLabel support before going
|
|
Packit |
51d0f7 |
any further. Once you have unpacked the NetLabel tools tarball and built the
|
|
Packit |
51d0f7 |
netlabelctl management application as described above, you can proceed with
|
|
Packit |
51d0f7 |
the following configuration steps.
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
If you are unsure about the necessary kernel support, or even the current
|
|
Packit |
51d0f7 |
NetLabel configuration, you can both verify the kernel and display the current
|
|
Packit |
51d0f7 |
configuration with the following commands:
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# netlabelctl -p cipso list
|
|
Packit |
51d0f7 |
# netlabelctl -p map list
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
If you see any configured CIPSO definitions you can remove them with the
|
|
Packit |
51d0f7 |
following command:
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# netlabelctl -p cipso del doi:<DOI>
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
If you see any domain mappings you can remove them with the following command:
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# netlabelctl -p map del domain:<DOMAIN>
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
You can remove the default domain mapping with the command below, although
|
|
Packit |
51d0f7 |
you should proceed with caution as outbound traffic without an associated
|
|
Packit |
51d0f7 |
mapping is dropped.
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# netlabelctl -p map del default
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
Finally, you set NetLabel to allow or deny incoming unlabeled packets with
|
|
Packit |
51d0f7 |
the following command:
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# netlabelctl -p unlbl accept on|off
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
Now that you have removed any existing NetLabel configuration you can setup a
|
|
Packit |
51d0f7 |
basic CIPSO configuration. The first step is to add a CIPSO/IPv4 definition
|
|
Packit |
51d0f7 |
to the kernel. The command below creates a CIPSO/IPv4 definition using a DOI
|
|
Packit |
51d0f7 |
value of 1, the permissive bitmask tag (value 1), and a pass through mapping
|
|
Packit |
51d0f7 |
meaning the CIPSO MLS values are passed straight through to the LSM.
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# netlabelctl cipso add pass doi:1 tags:1
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
The next step is to tell the NetLabel system to use this CIPSO/IPv4 defintion
|
|
Packit |
51d0f7 |
by default. You do that with the following command:
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# netlabelctl map add default protocol:cipso,1
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
You can verify that everything is configured correctly with the following two
|
|
Packit |
51d0f7 |
commands:
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
# netlabelctl -p cipso list doi:1
|
|
Packit |
51d0f7 |
# netlabelctl -p map list
|
|
Packit |
51d0f7 |
|
|
Packit |
51d0f7 |
For a more in depth explanation of configuring NetLabel on your Linux system,
|
|
Packit |
51d0f7 |
please see the information in the "doc/" directory.
|
|
Packit |
51d0f7 |
|