NetLabel Tools: A Library and Management Tool for the Linux NetLabel Subsystem ============================================================================== https://github.com/netlabel/netlabel_tools * Online Resources The library source repository currently lives on GitHub at the following URL: -> https://github.com/netlabel/netlabel_tools The project mailing list is currently hosted on Google Groups at the URL below, please note that a Google account is not required to subscribe to the mailing list. -> https://groups.google.com/d/forum/netlabel * Documentation The "doc/" directory contains all of the currently available documentation, mostly in the form of manpages. The top level directory also contains a README file (this file) as well as the LICENSE, SUBMITTING_PATCHES, and CHANGELOG files. Those who are interested in contributing to the the project are encouraged to read the SUBMITTING_PATCHES in the top level directory. * Building and Installing If you are building the NetLabel tools package from an official release tarball, you should follow the familiar three step process used by most autotools based applications: # ./configure # make [V=0|1] # make install However, if you are building the library from sources retrieved from the source repository you may need to run the autogen.sh script before running configure. In both cases, running "./configure -h" will display a list of build-time configuration options. * NetLabel Configuration Quick Start This section assumes you are already running a kernel with NetLabel support, if you are not please configure your kernel for NetLabel support before going any further. Once you have unpacked the NetLabel tools tarball and built the netlabelctl management application as described above, you can proceed with the following configuration steps. If you are unsure about the necessary kernel support, or even the current NetLabel configuration, you can both verify the kernel and display the current configuration with the following commands: # netlabelctl -p cipso list # netlabelctl -p map list If you see any configured CIPSO definitions you can remove them with the following command: # netlabelctl -p cipso del doi:<DOI> If you see any domain mappings you can remove them with the following command: # netlabelctl -p map del domain:<DOMAIN> You can remove the default domain mapping with the command below, although you should proceed with caution as outbound traffic without an associated mapping is dropped. # netlabelctl -p map del default Finally, you set NetLabel to allow or deny incoming unlabeled packets with the following command: # netlabelctl -p unlbl accept on|off Now that you have removed any existing NetLabel configuration you can setup a basic CIPSO configuration. The first step is to add a CIPSO/IPv4 definition to the kernel. The command below creates a CIPSO/IPv4 definition using a DOI value of 1, the permissive bitmask tag (value 1), and a pass through mapping meaning the CIPSO MLS values are passed straight through to the LSM. # netlabelctl cipso add pass doi:1 tags:1 The next step is to tell the NetLabel system to use this CIPSO/IPv4 defintion by default. You do that with the following command: # netlabelctl map add default protocol:cipso,1 You can verify that everything is configured correctly with the following two commands: # netlabelctl -p cipso list doi:1 # netlabelctl -p map list For a more in depth explanation of configuring NetLabel on your Linux system, please see the information in the "doc/" directory.