├── .gitignore ├── CHANGELOG ├── CONTRIBUTING.md ├── LICENSE ├── Makefile.am ├── README.md ├── autogen.sh ├── configure.ac ├── doc ├── .gitignore ├── Makefile.am ├── doxyfile ├── man │ └── man8 │ │ ├── netlabel-config.8 │ │ └── netlabelctl.8 └── ru │ ├── Makefile.am │ └── man │ └── man8 │ ├── netlabel-config.8 │ └── netlabelctl.8 ├── include ├── .gitignore ├── Makefile.am ├── libnetlabel.h └── netlabel.h ├── libnetlabel ├── Makefile.am ├── mod_calipso.c ├── mod_calipso.h ├── mod_cipso.c ├── mod_cipso.h ├── mod_mgmt.c ├── mod_mgmt.h ├── mod_unlabeled.c ├── mod_unlabeled.h ├── netlabel_comm.c ├── netlabel_init.c ├── netlabel_internal.h └── netlabel_msg.c ├── netlabelctl ├── .gitignore ├── Makefile.am ├── calipso.c ├── cipso.c ├── main.c ├── map.c ├── mgmt.c ├── netlabel-config.in ├── netlabel.rules ├── netlabel.service.in ├── netlabelctl.h └── unlabeled.c ├── tests ├── 01-mgmt-version.tests ├── 02-mgmt-protocols.tests ├── 03-cipso_local.tests ├── 04-cipso_pass.tests ├── 05-cipso_trans.tests ├── 06-map_domain.tests ├── 07-map_addrselect.tests ├── 08-unlbl_default.tests ├── 09-calipso_pass.tests ├── Makefile.am └── regression └── tools └── check-syntax /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | *.la 3 | *.lo 4 | *.a 5 | *.o 6 | *.d 7 | *.swp 8 | *.orig 9 | .deps 10 | .dirstamp 11 | .libs 12 | .stgit-* 13 | .stgitmail.txt 14 | configure 15 | Makefile 16 | Makefile.in 17 | cscope.* 18 | tags 19 | /autom4te.cache 20 | /aclocal.m4 21 | /build-aux 22 | /config.* 23 | /configure 24 | /configure.h* 25 | /libtool 26 | /m4 27 | /stamp-h1 28 | /cov-int 29 | /netlabel_tools-coverity_*.tar.gz 30 | netlabelctl/netlabel-config 31 | netlabelctl/netlabel.service 32 | -------------------------------------------------------------------------------- /CHANGELOG: -------------------------------------------------------------------------------- 1 | NetLabel Tools: Releases 2 | =============================================================================== 3 | https://github.com/netlabel/netlabel_tools 4 | 5 | * Version 0.30.0 - December 8, 2016 6 | - Added support for CALIPSO/RFC5570, requires Linux v4.8 7 | - Interface now supports using "cipso" in place of "cipsov4" 8 | 9 | * Version 0.21 - July 10, 2015 10 | - Converted the build system to autotools 11 | - Fixed a number of style/formatting problems, see 'make check-syntax' 12 | - Fixed a problem with parsing invalid network addresses 13 | - Fixed a problem with large numbers of MLS level/category translations 14 | - Fixed a number of problems identified by Coverity 15 | - Updated to the libnl3 API 16 | - Added a SUBMITTING_PATCHES file with instructions on how to contribute 17 | - Fixed some output formatting problems when listing the outbound mappings 18 | - Created a basic regression test framework and populated it with some basic 19 | tests, see the "tests/" directory 20 | 21 | * Version 0.20 - June 3, 2013 22 | - Patch from Marius Tomaschewski to fix the Makefile install 23 | target to allow installation by normal users 24 | - Fixed build problems on Debian/Ubuntu 25 | - Correctly read all the parts of multipart Netlink messages, fixed problems 26 | when trying to display large configurations 27 | - Updated the doxygen configuration file to work with modern doxygen versions 28 | - Updated and improved portions of the build mechanism 29 | - Incorporate fixes from the Fedora/RHEL RPMs 30 | - Add support for systemd with the inclusion of a systemd unit file, 31 | configuration file, and configuration helper script 32 | 33 | * Version 0.19 - January 5, 2009 34 | - Added address selector support to the LSM domain mapping mechanism 35 | - Added support for the new CIPSO_V4_MAP_LOCAL CIPSO mapping type to allow 36 | native LSM security labels over local connections 37 | - General code cleanup, including style changes/fixes; focused primarily on 38 | libnetlabel 39 | - Initial doxygen support, including slightly improved documentation for the 40 | libnetlabel API; doxygen docs built by default if doxygen is detected 41 | - Man page updates for netlabelctl 42 | - Preliminary support for building libnetlabel as a shared library, not enabled 43 | by default (see libnetlabel/Makefile to enable) 44 | - Removed empty and unused directories to make the package cleaner and easier 45 | to understand 46 | 47 | * Version 0.18 - June 25, 2008 48 | - Fixed some problems when printing CIPSOv4 and map information when not using 49 | the '-p' flag 50 | - Always display an error message if an error occurred, based on patch from 51 | Klaus Weidner 52 | - Included a patch from Hagen Paul Pfeifer to fix a 53 | problem when building with LIBNL_VERSION >= 1006 54 | - Only use size_t and not ssize_t to specify datum sizes/lengths 55 | - Updated the netlabelctl man page with more text and examples 56 | - Removed the RPM specfile which included all contributions by Steve Grubb 57 | 58 | - Updated copyright notice to GPLv2 only, received explicit approval from both 59 | Klaus Weidner and 60 | Hagen Paul Pfeifer 61 | - Updated the README 62 | - Add libnl v 1.0-pre8 compatible code and make it the default (needed for 63 | Fedora Rawhide post F8) 64 | - Renamed the CIPSOv4 'std' mapping to 'trans' to better reflect it's usage, 65 | 'std' still works but is marked as deprecated 66 | - Merged the 'static-label' branch which provides fallback/static labeling 67 | support 68 | - Renamed the 'nlbl_mgmt_domain' structure to 'nlbl_dommap' 69 | - Converted the the same tab/ident spacing as the Linux kernel 70 | - Removed the structure typedefs in libnetlabel.h 71 | - Added some crude documentation to the types defined in libnetlabel.h 72 | 73 | * Version 0.17 - September 28, 2006 74 | - Changed to support the updated use of Netlink attributes by NetLabel 75 | - Ported to use the libnl (version 1.0-pre5/6) library 76 | - Try to cleanup the error reporting a little bit 77 | - Changed the version/release information 78 | 79 | * Version 0.16 - August 3, 2006 80 | - Added a "version" flag (-V) 81 | - Moved the mapping commands to the new "map" class 82 | - Added support for the unlabeled list command 83 | - Updated the documentation to bring it up to date with the current options 84 | - Cleanup the libnetlabel interfaces a little bit 85 | - Shift to using Netlink attributes, at some point we should use libnetlink 86 | 87 | * Version 0.15 - July 6, 2006 88 | - Modified the Netlink communication bits to support the newly aligned fields 89 | 90 | * Version 0.14 - June 27, 2006 91 | - Added a RPM specfile based on a version from Steve Grubb 92 | - Minor Makefile changes to ease tarball and RPM creation 93 | - Modified the Netlink communication bits to support the new Generic Netlink 94 | communication mechanism 95 | 96 | * Version 0.13 - June 23, 2006 97 | - Added some text to the README to explain how to remove any pre-existing 98 | NetLabel configuration 99 | - Added two patches from Klaus Weidner to add some error 100 | messages and better sendmsg() error reporting 101 | - Fixed some compiler warnings (added -Wall to CFLAGS) on Klaus' recomendation 102 | 103 | * Version 0.12 - June 13, 2006 104 | - Added support for the new CIPSO_V4_MAP_PASS CIPSO mapping type 105 | 106 | * Version 0.11 - June 7, 2006 107 | - Corrected a problem with the netlabel.h header file 108 | 109 | * Version 0.11 - June 6, 2006 110 | - Changed the libnetlabel to reflect changes to the NetLabel protocol 111 | 112 | * Version 0.10 - May 1, 2006 113 | - Initial version 114 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | How to Submit Patches to the NetLabel Tools Project 2 | =============================================================================== 3 | https://github.com/netlabel/netlabel_tools 4 | 5 | This document is intended to act as a guide to help you contribute to the 6 | NetLabel Tools project. It is not perfect, and there will always be exceptions 7 | to the rules described here, but by following the instructions below you 8 | should have a much easier time getting your work merged with the upstream 9 | project. 10 | 11 | ## Test Your Code 12 | 13 | Unfortunately, we do not have a test suite for the NetLabel Tools probject, 14 | but please test your code manually, as much as possible. Make sure it works on 15 | new systems, make sure it works on old systems. Try your best not to break 16 | anything, and if you break something, make sure you have a good reason, and 17 | make sure you tell us about it when you post your patch. 18 | 19 | In addition to functional and regression testing, you should also verify that 20 | yoour patch is consistent with the formatting and coding style of the project. 21 | You can do this by running the following command: 22 | 23 | % make check-syntax 24 | 25 | ... if there are any problems with your changes a diff/patch will be shown 26 | which indicates the problems and how to fix them. 27 | 28 | ## Generate the Patch(es) 29 | 30 | Depending on how you decided to work with the code base and what tools you are 31 | using there are different ways to generate your patch(es). However, regardless 32 | of what tools you use, you should always generate your patches using the 33 | "unified" diff/patch format and the patches should always apply to the NetLabel 34 | Tools source tree using the following command from the top directory of the 35 | sources repository: 36 | 37 | % patch -p1 < changes.patch 38 | 39 | If you are not using git, stacked git (stgit), or some other tool which can 40 | generate patch files for you automatically, you may find the following command 41 | helpful in generating patches, where "netlabel_tools.orig/" is the unmodified 42 | source code directory and "netlabel_tools/" is the source code directory with 43 | your changes: 44 | 45 | % diff -purN netlabel_tools.orig/ netlabel_tools/ 46 | 47 | When in doubt please generate your patch and try applying it to an unmodified 48 | copy of the NetLabel Tools sources; if it fails for you, it will fail for the 49 | rest of us. 50 | 51 | ## Explain Your Work 52 | 53 | At the top of every patch you should include a description of the problem you 54 | are trying to solve, how you solved it, and why you chose the solution you 55 | implemented. If you are submitting a bug fix, it is also incredibly helpful 56 | if you can describe/include a reproducer for the problem in the description as 57 | well as instructions on how to test for the bug and verify that it has been 58 | fixed. 59 | 60 | ## Sign Your Work 61 | 62 | The sign-off is a simple line at the end of the patch description, which 63 | certifies that you wrote it or otherwise have the right to pass it on as an 64 | open-source patch. The "Developer's Certificate of Origin" pledge is taken 65 | from the Linux Kernel and the rules are pretty simple: 66 | 67 | Developer's Certificate of Origin 1.1 68 | 69 | By making a contribution to this project, I certify that: 70 | 71 | (a) The contribution was created in whole or in part by me and I 72 | have the right to submit it under the open source license 73 | indicated in the file; or 74 | 75 | (b) The contribution is based upon previous work that, to the best 76 | of my knowledge, is covered under an appropriate open source 77 | license and I have the right under that license to submit that 78 | work with modifications, whether created in whole or in part 79 | by me, under the same open source license (unless I am 80 | permitted to submit under a different license), as indicated 81 | in the file; or 82 | 83 | (c) The contribution was provided directly to me by some other 84 | person who certified (a), (b) or (c) and I have not modified 85 | it. 86 | 87 | (d) I understand and agree that this project and the contribution 88 | are public and that a record of the contribution (including all 89 | personal information I submit with it, including my sign-off) is 90 | maintained indefinitely and may be redistributed consistent with 91 | this project or the open source license(s) involved. 92 | 93 | ... then you just add a line to the bottom of your patch description, with 94 | your real name, saying: 95 | 96 | Signed-off-by: Random J Developer 97 | 98 | ## Post Your Patches Upstream 99 | 100 | The NetLabel Tools project accepts both GitHub pull requests and patches sent 101 | via the mailing list. GitHub pull requests are preferred. This sections below 102 | explain how to contribute via either method. Please read each step and perform 103 | all steps that apply to your chosen contribution method. 104 | 105 | ### Submitting via Email 106 | 107 | Depending on how you decided to work with the code base and what tools you are 108 | using there are different ways to generate your patch(es). However, regardless 109 | of what tools you use, you should always generate your patches using the 110 | "unified" diff/patch format and the patches should always apply to the source 111 | tree using the following command from the top directory of the sources: 112 | 113 | # patch -p1 < changes.patch 114 | 115 | If you are not using git, stacked git (stgit), or some other tool which can 116 | generate patch files for you automatically, you may find the following command 117 | helpful in generating patches, where "netlabel_tools.orig/" is the unmodified 118 | source code directory and "netlabel_tools/" is the source code directory with 119 | your changes: 120 | 121 | # diff -purN netlabel_tools.orig/ netlabel_tools/ 122 | 123 | When in doubt please generate your patch and try applying it to an unmodified 124 | copy of the sources; if it fails for you, it will fail for the rest of us. 125 | 126 | Finally, you will need to email your patches to the mailing list so they can 127 | be reviewed and potentially merged into the main repository. When sending 128 | patches to the mailing list it is important to send your email in text form, 129 | no HTML mail please, and ensure that your email client does not mangle your 130 | patches. It should be possible to save your raw email to disk and apply it 131 | directly to the source code; if that fails then you likely have a problem with 132 | your email client. When in doubt try a test first by sending yourself an email 133 | with your patch and attempting to apply the emailed patch to the source 134 | repository; if it fails for you, it will fail for the rest of us trying to test 135 | your patch and include it in the main source repository. 136 | 137 | ### Submitting via GitHub 138 | 139 | See [this guide](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request) if you've never done this before. 140 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License 307 | along with this program; if not, write to the Free Software 308 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 309 | 310 | 311 | Also add information on how to contact you by electronic and paper mail. 312 | 313 | If the program is interactive, make it output a short notice like this 314 | when it starts in an interactive mode: 315 | 316 | Gnomovision version 69, Copyright (C) year name of author 317 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 318 | This is free software, and you are welcome to redistribute it 319 | under certain conditions; type `show c' for details. 320 | 321 | The hypothetical commands `show w' and `show c' should show the appropriate 322 | parts of the General Public License. Of course, the commands you use may 323 | be called something other than `show w' and `show c'; they could even be 324 | mouse-clicks or menu items--whatever suits your program. 325 | 326 | You should also get your employer (if you work as a programmer) or your 327 | school, if any, to sign a "copyright disclaimer" for the program, if 328 | necessary. Here is a sample; alter the names: 329 | 330 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 331 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 332 | 333 | , 1 April 1989 334 | Ty Coon, President of Vice 335 | 336 | This General Public License does not permit incorporating your program into 337 | proprietary programs. If your program is a subroutine library, you may 338 | consider it more useful to permit linking proprietary applications with the 339 | library. If this is what you want to do, use the GNU Lesser General 340 | Public License instead of this License. 341 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # NetLabel Tools Makefile 3 | # 4 | # Author: Paul Moore 5 | # 6 | 7 | # 8 | # This program is free software: you can redistribute it and/or modify 9 | # it under the terms of version 2 of the GNU General Public License as 10 | # published by the Free Software Foundation. 11 | # 12 | # This program is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program. If not, see . 19 | # 20 | 21 | ACLOCAL_AMFLAGS = -I m4 22 | SUBDIRS = include libnetlabel netlabelctl tests doc 23 | 24 | EXTRA_DIST = CHANGELOG LICENSE README SUBMITTING_PATCHES 25 | 26 | # support silent builds 27 | AM_MAKEFLAGS_0 = --quiet --no-print-directory 28 | AM_MAKEFLAGS_1 = 29 | AM_MAKEFLAGS_ = ${AM_MAKEFLAGS_0} 30 | AM_MAKEFLAGS = ${AM_MAKEFLAGS_@AM_V@} 31 | 32 | # support systemd/distcheck 33 | # -> http://www.freedesktop.org/software/systemd/man/daemon.html 34 | DISTCHECK_CONFIGURE_FLAGS = \ 35 | --with-systemdsystemunitdir=$$dc_install_base/$(systemdsystemunitdir) 36 | 37 | check-syntax: 38 | @./tools/check-syntax 39 | 40 | if COVERITY 41 | coverity-build: clean 42 | cov-build --dir cov-int ${MAKE} ${AM_MAKEFLAGS} 43 | endif 44 | 45 | if COVERITY 46 | coverity-tarball: coverity-build 47 | @if git rev-parse HEAD &> /dev/null; then \ 48 | rev_full=$$(git rev-parse HEAD); \ 49 | rev=$$(echo $$rev_full | cut -c1-8); \ 50 | else \ 51 | rev_full=$$(date --iso-8601=date); \ 52 | rev=$$rev_full; \ 53 | fi; \ 54 | tar czf netlabel_tools-coverity_$$rev.tar.gz cov-int; \ 55 | echo " HEAD revision: $$rev_full"; \ 56 | ls -l netlabel_tools-coverity_$$rev.tar.gz 57 | endif 58 | 59 | clean-local: 60 | ${RM} -rf cov-int netlabel_tools-coverity_*.tar.gz 61 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Management Tools for the Linux NetLabel Subsystem 2 | ============================================================================== 3 | https://github.com/netlabel/netlabel_tools 4 | 5 | ## Online Resources 6 | 7 | The library source repository currently lives on GitHub at the following URL: 8 | 9 | * https://github.com/netlabel/netlabel_tools 10 | 11 | The project mailing list is currently hosted on Google Groups at the URL below, 12 | please note that a Google account is not required to subscribe to the mailing 13 | list. 14 | 15 | * https://groups.google.com/d/forum/netlabel 16 | 17 | ## Documentation 18 | 19 | The "doc/" directory contains all of the currently available documentation, 20 | mostly in the form of manpages. The top level directory also contains a README 21 | file (this file) as well as the LICENSE, SUBMITTING_PATCHES, and CHANGELOG 22 | files. 23 | 24 | Those who are interested in contributing to the the project are encouraged to 25 | read the SUBMITTING_PATCHES in the top level directory. 26 | 27 | ## Building and Installing 28 | 29 | If you are building the NetLabel tools package from an official release 30 | tarball, you should follow the familiar three step process used by most 31 | autotools based applications: 32 | 33 | % ./configure 34 | % make [V=0|1] 35 | % make install 36 | 37 | However, if you are building the library from sources retrieved from the source 38 | repository you may need to run the autogen.sh script before running configure. 39 | In both cases, running "./configure -h" will display a list of build-time 40 | configuration options. 41 | 42 | ## NetLabel Configuration Quick Start 43 | 44 | This section assumes you are already running a kernel with NetLabel support, 45 | if you are not please configure your kernel for NetLabel support before going 46 | any further. Once you have unpacked the NetLabel tools tarball and built the 47 | netlabelctl management application as described above, you can proceed with 48 | the following configuration steps. 49 | 50 | If you are unsure about the necessary kernel support, or even the current 51 | NetLabel configuration, you can both verify the kernel and display the current 52 | configuration with the following commands: 53 | 54 | % netlabelctl -p cipso list 55 | % netlabelctl -p map list 56 | 57 | If you see any configured CIPSO definitions you can remove them with the 58 | following command: 59 | 60 | % netlabelctl -p cipso del doi: 61 | 62 | If you see any domain mappings you can remove them with the following command: 63 | 64 | % netlabelctl -p map del domain: 65 | 66 | You can remove the default domain mapping with the command below, although 67 | you should proceed with caution as outbound traffic without an associated 68 | mapping is dropped. 69 | 70 | % netlabelctl -p map del default 71 | 72 | Finally, you set NetLabel to allow or deny incoming unlabeled packets with 73 | the following command: 74 | 75 | % netlabelctl -p unlbl accept on|off 76 | 77 | Now that you have removed any existing NetLabel configuration you can setup a 78 | basic CIPSO configuration. The first step is to add a CIPSO/IPv4 definition 79 | to the kernel. The command below creates a CIPSO/IPv4 definition using a DOI 80 | value of 1, the permissive bitmask tag (value 1), and a pass through mapping 81 | meaning the CIPSO MLS values are passed straight through to the LSM. 82 | 83 | % netlabelctl cipso add pass doi:1 tags:1 84 | 85 | The next step is to tell the NetLabel system to use this CIPSO/IPv4 defintion 86 | by default. You do that with the following command: 87 | 88 | % netlabelctl map add default protocol:cipso,1 89 | 90 | You can verify that everything is configured correctly with the following two 91 | commands: 92 | 93 | % netlabelctl -p cipso list doi:1 94 | % netlabelctl -p map list 95 | 96 | For a more in depth explanation of configuring NetLabel on your Linux system, 97 | please see the information in the "doc/" directory. 98 | -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | # 4 | # NetLabel Tools Autotools Configure Script 5 | # 6 | 7 | # 8 | # This program is free software: you can redistribute it and/or modify 9 | # it under the terms of version 2 of the GNU General Public License as 10 | # published by the Free Software Foundation. 11 | # 12 | # This program is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program. If not, see . 19 | 20 | test -d m4 || mkdir m4 21 | autoreconf -fi 22 | rm -rf autom4te.cache 23 | -------------------------------------------------------------------------------- /configure.ac: -------------------------------------------------------------------------------- 1 | dnl # 2 | dnl # NetLabel Tools 3 | dnl # 4 | dnl # Author: Paul Moore 5 | dnl # 6 | 7 | dnl # 8 | dnl # This program is free software: you can redistribute it and/or modify 9 | dnl # it under the terms of version 2 of the GNU General Public License as 10 | dnl # published by the Free Software Foundation. 11 | dnl # 12 | dnl # This program is distributed in the hope that it will be useful, 13 | dnl # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | dnl # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | dnl # GNU General Public License for more details. 16 | dnl # 17 | dnl # You should have received a copy of the GNU General Public License 18 | dnl # along with this program. If not, see . 19 | dnl # 20 | 21 | dnl #### 22 | dnl netlabel_tools defines 23 | dnl #### 24 | AC_INIT([netlabel_tools], [0.30.0]) 25 | 26 | dnl #### 27 | dnl autoconf configuration 28 | dnl #### 29 | AC_CONFIG_AUX_DIR([build-aux]) 30 | AC_CONFIG_HEADERS([configure.h]) 31 | AC_CONFIG_MACRO_DIR([m4]) 32 | 33 | dnl #### 34 | dnl automake configuration 35 | dnl #### 36 | dnl NOTE: Automake < 1.12 didn't have serial-tests and gives an error if it 37 | dnl sees this, but for automake >= 1.13 serial-tests is required so we have to 38 | dnl include it. Solution is to test for the version of automake (by running 39 | dnl an external command) and provide it if necessary. Note we have to do this 40 | dnl entirely using m4 macros since automake queries this macro by running 41 | dnl 'autoconf --trace ...'. 42 | m4_define([serial_tests], [ 43 | m4_esyscmd([automake --version | 44 | head -1 | 45 | awk '{split ($NF,a,"."); if (a[1] == 1 && a[2] >= 12) { print "serial-tests" }}' 46 | ]) 47 | ]) 48 | dnl # NOTE: do not [quote] this parameter 49 | AM_INIT_AUTOMAKE(-Wall foreign subdir-objects tar-pax serial_tests) 50 | 51 | dnl #### 52 | dnl build tools 53 | dnl #### 54 | AC_PROG_CC 55 | AM_PROG_CC_C_O 56 | m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) 57 | 58 | dnl #### 59 | dnl pkg-config configuration 60 | dnl #### 61 | PKG_PROG_PKG_CONFIG 62 | 63 | dnl #### 64 | dnl libtool configuration 65 | dnl #### 66 | LT_INIT([shared pic-only]) 67 | 68 | dnl #### 69 | dnl enable silent builds by default 70 | dnl #### 71 | m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) 72 | 73 | dnl #### 74 | dnl build flags 75 | dnl #### 76 | AM_CPPFLAGS="-I\${top_srcdir}/include" 77 | AM_CFLAGS="-Wall" 78 | AM_LDFLAGS="-Wl,-z -Wl,relro" 79 | AC_SUBST([AM_CPPFLAGS]) 80 | AC_SUBST([AM_CFLAGS]) 81 | AC_SUBST([AM_LDFLAGS]) 82 | 83 | dnl #### 84 | dnl version information 85 | dnl #### 86 | VERSION_MAJOR=$(echo ${VERSION} | cut -d'.' -f 1) 87 | VERSION_MINOR=$(echo ${VERSION} | cut -d'.' -f 2) 88 | VERSION_MICRO=$(echo ${VERSION} | cut -d'.' -f 3) 89 | VERSION_STRING=$(echo ${VERSION}) 90 | AC_SUBST([VERSION_MAJOR]) 91 | AC_SUBST([VERSION_MINOR]) 92 | AC_SUBST([VERSION_MICRO]) 93 | AC_SUBST([VERSION_STRING]) 94 | 95 | dnl #### 96 | dnl libnl checks 97 | dnl -> http://www.infradead.org/~tgr/libnl 98 | dnl #### 99 | PKG_CHECK_MODULES(LIBNL3, libnl-3.0 >= 3.0, [have_libnl3=yes], [have_libnl3=no]) 100 | if (test "${have_libnl3}" = "yes"); then 101 | CFLAGS+=" $LIBNL3_CFLAGS" 102 | LIBS+=" $LIBNL3_LIBS" 103 | fi 104 | PKG_CHECK_MODULES(LIBNLGENL3, libnl-genl-3.0 >= 3.0, [have_libnlgenl3=yes], [have_libnlgenl3=no]) 105 | if (test "${have_libnlgenl3}" = "yes"); then 106 | CFLAGS+=" $LIBNLGENL3_CFLAGS" 107 | LIBS+=" $LIBNLGENL3_LIBS" 108 | fi 109 | 110 | dnl #### 111 | dnl systemd checks 112 | dnl -> http://www.freedesktop.org/software/systemd/man/daemon.html 113 | dnl #### 114 | AC_ARG_WITH([systemdsystemunitdir], 115 | [AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files])],, 116 | [with_systemdsystemunitdir=auto]) 117 | AS_IF([test "x$with_systemdsystemunitdir" = "xyes" -o "x$with_systemdsystemunitdir" = "xauto"], 118 | [def_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd) 119 | AS_IF([test "x$def_systemdsystemunitdir" = "x"], 120 | [AS_IF([test "x$with_systemdsystemunitdir" = "xyes"], 121 | [AC_MSG_ERROR([systemd support requested but pkg-config unable to query systemd package])]) 122 | with_systemdsystemunitdir=no], 123 | [with_systemdsystemunitdir="$def_systemdsystemunitdir"])]) 124 | AS_IF([test "x$with_systemdsystemunitdir" != "xno"], 125 | [AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir])]) 126 | AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$with_systemdsystemunitdir" != "xno"]) 127 | 128 | dnl #### 129 | dnl doxygen checks 130 | dnl #### 131 | AC_CHECK_PROG(have_doxygen, doxygen, "yes", "no") 132 | AM_CONDITIONAL(DOXYGEN, test "$have_doxygen" = yes) 133 | 134 | dnl #### 135 | dnl coverity checks 136 | dnl #### 137 | AC_CHECK_PROG(have_coverity, cov-build, "yes", "no") 138 | AM_CONDITIONAL(COVERITY, test "$have_coverity" = yes) 139 | 140 | dnl #### 141 | dnl makefiles 142 | dnl #### 143 | AC_CONFIG_FILES([ 144 | Makefile 145 | include/Makefile 146 | libnetlabel/Makefile 147 | netlabelctl/Makefile 148 | netlabelctl/netlabel.service 149 | doc/Makefile 150 | doc/ru/Makefile 151 | tests/Makefile 152 | ]) 153 | AC_CONFIG_FILES([netlabelctl/netlabel-config], [chmod +x netlabelctl/netlabel-config]) 154 | 155 | dnl #### 156 | dnl done 157 | dnl #### 158 | AC_OUTPUT 159 | -------------------------------------------------------------------------------- /doc/.gitignore: -------------------------------------------------------------------------------- 1 | doxygen 2 | -------------------------------------------------------------------------------- /doc/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # NetLabel Documentation Makefile 3 | # 4 | # Author: Paul Moore 5 | # 6 | 7 | # 8 | # This program is free software: you can redistribute it and/or modify 9 | # it under the terms of version 2 of the GNU General Public License as 10 | # published by the Free Software Foundation. 11 | # 12 | # This program is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program. If not, see . 19 | # 20 | 21 | EXTRA_DIST = doxyfile 22 | 23 | dist_man8_MANS = \ 24 | man/man8/netlabel-config.8 \ 25 | man/man8/netlabelctl.8 26 | 27 | SUBDIRS = ru 28 | 29 | if DOXYGEN 30 | all-local: doxygen 31 | 32 | clean-local: clean-doxygen 33 | 34 | doxygen: doxyfile 35 | $(AM_V_P) || echo -e " DOXYGEN $<" 36 | doxygen $< 37 | 38 | clean-doxygen: 39 | ${RM} -rf doxygen 40 | endif -------------------------------------------------------------------------------- /doc/man/man8/netlabel-config.8: -------------------------------------------------------------------------------- 1 | .TH "netlabel-config" 8 "31 May 2013" "paul@paul-moore.com" "NetLabel Documentation" 2 | .\" ////////////////////////////////////////////////////////////////////////// 3 | .SH NAME 4 | .\" ////////////////////////////////////////////////////////////////////////// 5 | netlabel-config \- NetLabel configuration utility 6 | .\" ////////////////////////////////////////////////////////////////////////// 7 | .SH SYNOPSIS 8 | .\" ////////////////////////////////////////////////////////////////////////// 9 | .B netlabel-config 10 | reset| load 11 | .\" ////////////////////////////////////////////////////////////////////////// 12 | .SH DESCRIPTION 13 | .\" ////////////////////////////////////////////////////////////////////////// 14 | .P 15 | The NetLabel configuration utility, netlabel-config, is a script designed to 16 | make it easier for system administratiors to create, manage, and use complex 17 | NetLabel configurations. The netlabel-config script uses the netlabelctl(8) 18 | tool and /etc/netlabel.rules configuration file to load a saved NetLabel 19 | configuration into the kernel and reset the kernel's NetLabel configuration 20 | to the default state when needed. 21 | .TP 22 | .B reset 23 | Removes any NetLabel configuration loaded into the kernel and resets the 24 | kernel's NetLabel state to the default. 25 | .TP 26 | .B load 27 | Loads the NetLabel configuration specified by /etc/netlabel.rules into the 28 | kernel. 29 | .\" ////////////////////////////////////////////////////////////////////////// 30 | .SH EXIT STATUS 31 | .\" ////////////////////////////////////////////////////////////////////////// 32 | Returns zero on success, errno values on failure. 33 | .\" ////////////////////////////////////////////////////////////////////////// 34 | .SH "NOTES" 35 | .\" ////////////////////////////////////////////////////////////////////////// 36 | .P 37 | The NetLabel subsystem is supported on Linux Kernels version 2.6.19 and later. 38 | The static, or fallback, labels are only supported on Linux Kernels version 39 | 2.6.25 and later. The domain mapping address selectors are only supported on 40 | Linux Kernels 2.6.28 and later and CALIPSO/RFC5570 is only supported on Linux 41 | Kernels 4.8.0 and later. 42 | .P 43 | The NetLabel project site, with more information including the source code 44 | repository, can be found at https://github.com/netlabel. Please report any 45 | bugs at the project site or directly to the author. 46 | .\" ////////////////////////////////////////////////////////////////////////// 47 | .SH "AUTHOR" 48 | .\" ////////////////////////////////////////////////////////////////////////// 49 | Paul Moore 50 | .\" ////////////////////////////////////////////////////////////////////////// 51 | .SH "SEE ALSO" 52 | .\" ////////////////////////////////////////////////////////////////////////// 53 | .BR netlabelctl (8) 54 | -------------------------------------------------------------------------------- /doc/man/man8/netlabelctl.8: -------------------------------------------------------------------------------- 1 | .TH "netlabelctl" 8 "31 May 2013" "paul@paul-moore.com" "NetLabel Documentation" 2 | .\" ////////////////////////////////////////////////////////////////////////// 3 | .SH NAME 4 | .\" ////////////////////////////////////////////////////////////////////////// 5 | netlabelctl \- NetLabel management utility 6 | .\" ////////////////////////////////////////////////////////////////////////// 7 | .SH SYNOPSIS 8 | .\" ////////////////////////////////////////////////////////////////////////// 9 | .B netlabelctl 10 | [] [] 11 | .\" ////////////////////////////////////////////////////////////////////////// 12 | .SH DESCRIPTION 13 | .\" ////////////////////////////////////////////////////////////////////////// 14 | .P 15 | The NetLabel management utility, netlabelctl, is a command line program 16 | designed to allow system administrators to configure the NetLabel system in the 17 | kernel. The utility is based around different "modules" which correspond to 18 | the different types of NetLabel commands supported by the kernel. 19 | .\" ////////////////////////////////////////////////////////////////////////// 20 | .SH OPTIONS 21 | .\" ////////////////////////////////////////////////////////////////////////// 22 | .SS Global Flags 23 | .TP 5 24 | .B \-h 25 | Help message 26 | .TP 5 27 | .B \-p 28 | Attempt to make the output human readable or "pretty" 29 | .TP 5 30 | .B \-t 31 | Set a timeout to be used when waiting for the NetLabel subsystem to respond 32 | .TP 5 33 | .B \-v 34 | Enable extra output 35 | .TP 5 36 | .B \-V 37 | Display the version information 38 | .\" ////////////////////////////////////////////////////////////////////////// 39 | .SS Modules and Commands 40 | .TP 5 41 | .B mgmt 42 | .P 43 | The management module is used to perform general queries about the NetLabel 44 | subsystem within the kernel. The different commands and their syntax are 45 | listed below. 46 | .HP 47 | .I version 48 | .br 49 | Display the kernel's NetLabel management protocol version. 50 | .HP 51 | .I protocols 52 | .br 53 | Display the kernel's list of supported labeling protocols. 54 | .TP 5 55 | .B map 56 | .P 57 | The domain mapping module is used to map different NetLabel labeling protocols 58 | to either individual LSM domains or the default domain mapping. It is up to 59 | each LSM to determine what defines a domain. With SELinux, the normal SELinux 60 | domain should be used, i.e. "ping_t" (however see the 61 | .B NOTES 62 | section below regarding SElinux). In addition to protocol selection based 63 | only on the LSM domain, it is also possible to select the labeling protocol 64 | based on both the LSM domain and destination address. The network address 65 | selectors can specify either single hosts or entire networks and work for both 66 | IPv4 and IPv6, although the labeling protocol chosen must support the IP 67 | version chosen. When specifying the labeling protocol to use for each mapping 68 | there is an optional "extra" field which is used to further identify the 69 | specific labeling protocol configuration. When specifying the unlabeled 70 | protocol, "unlbl", an extra value of either "4" or "6" may be used. This 71 | restricts the mapping to IPv4 or IPv6 addresses. Omitting the extra value will 72 | result in a mapping for all address families. When specifying the CIPSO/IPv4 73 | or the CALIPSO/IPv6 protocol, "cipso" or "calipso", the DOI value should be 74 | specified; see the EXAMPLES section for details. The different commands and their 75 | syntax are listed below. 76 | .HP 77 | .I add default|domain: [address:[/]] protocol:[,] 78 | .br 79 | Add a new LSM domain / network address to NetLabel protocol mapping. 80 | .HP 81 | .I del default|domain: 82 | .br 83 | Delete an existing LSM domain to NetLabel protocol mapping. 84 | .HP 85 | .I list 86 | .br 87 | Display all of the configured LSM domain to NetLabel protocol mappings. 88 | .TP 5 89 | .B unlbl 90 | .P 91 | The unlabeled (unlbl) module controls the unlabeled protocol which is used both 92 | when labeling outgoing traffic is not desired as well as when unlabeled 93 | traffic is received by the system. This module allows administrators to block 94 | all unlabeled packets from the system through the "accept" flag and assign 95 | static, or fallback, security labels to unlabeled traffic based on the inbound 96 | network interface and source address. 97 | .HP 98 | .I accept on|off 99 | .br 100 | Toggle the unlabeled traffic accept flag. 101 | .HP 102 | .I add default|interface: address:[/] label: