NetLabel Tools: A Library and Management Tool for the Linux NetLabel Subsystem

==============================================================================

https://github.com/netlabel/netlabel_tools

* Online Resources

The library source repository currently lives on GitHub at the following URL:

	-> https://github.com/netlabel/netlabel_tools

The project mailing list is currently hosted on Google Groups at the URL below,

please note that a Google account is not required to subscribe to the mailing

list.

	-> https://groups.google.com/d/forum/netlabel

* Documentation

The "doc/" directory contains all of the currently available documentation,

mostly in the form of manpages.  The top level directory also contains a README

file (this file) as well as the LICENSE, SUBMITTING_PATCHES, and CHANGELOG

files.

Those who are interested in contributing to the the project are encouraged to

read the SUBMITTING_PATCHES in the top level directory.

* Building and Installing

If you are building the NetLabel tools package from an official release

tarball, you should follow the familiar three step process used by most

autotools based applications:

	# ./configure

	# make [V=0|1]

	# make install

However, if you are building the library from sources retrieved from the source

repository you may need to run the autogen.sh script before running configure.

In both cases, running "./configure -h" will display a list of build-time

configuration options.

* NetLabel Configuration Quick Start

This section assumes you are already running a kernel with NetLabel support,

if you are not please configure your kernel for NetLabel support before going

any further.  Once you have unpacked the NetLabel tools tarball and built the

netlabelctl management application as described above, you can proceed with

the following configuration steps.

If you are unsure about the necessary kernel support, or even the current

NetLabel configuration, you can both verify the kernel and display the current

configuration with the following commands:

 # netlabelctl -p cipso list

 # netlabelctl -p map list

If you see any configured CIPSO definitions you can remove them with the

following command:

 # netlabelctl -p cipso del doi:<DOI>

If you see any domain mappings you can remove them with the following command:

 # netlabelctl -p map del domain:<DOMAIN>

You can remove the default domain mapping with the command below, although

you should proceed with caution as outbound traffic without an associated

mapping is dropped.

 # netlabelctl -p map del default

Finally, you set NetLabel to allow or deny incoming unlabeled packets with

the following command:

 # netlabelctl -p unlbl accept on|off

Now that you have removed any existing NetLabel configuration you can setup a

basic CIPSO configuration.  The first step is to add a CIPSO/IPv4 definition

to the kernel.  The command below creates a CIPSO/IPv4 definition using a DOI

value of 1, the permissive bitmask tag (value 1), and a pass through mapping

meaning the CIPSO MLS values are passed straight through to the LSM.

 # netlabelctl cipso add pass doi:1 tags:1

The next step is to tell the NetLabel system to use this CIPSO/IPv4 defintion

by default.  You do that with the following command:

 # netlabelctl map add default protocol:cipso,1

You can verify that everything is configured correctly with the following two

commands:

 # netlabelctl -p cipso list doi:1

 # netlabelctl -p map list

For a more in depth explanation of configuring NetLabel on your Linux system,

please see the information in the "doc/" directory.