Initial commit using netlabel_tools-0.16.tar.gz as the source.

CHANGELOG

@@ -0,0 +1,46 @@
+NetLabel Tools CHANGELOG
+==============================================================================
+
+* Version 0.16 (August 3, 2006)
+------------------------------------------------------------------------------
+o Added a "version" flag (-V)
+o Moved the mapping commands to the new "map" class
+o Added support for the unlabeled list command
+o Updated the documentation to bring it up to date with the current options
+o Cleanup the libnetlabel interfaces a little bit
+o Shift to using NETLINK attributes, at some point we should use libnetlink
+
+* Version 0.15 (July 6, 2006)
+------------------------------------------------------------------------------
+o Modified the NETLINK communication bits to support the newly aligned fields
+
+* Version 0.14 (June 27, 2006)
+------------------------------------------------------------------------------
+o Added a RPM specfile based on a version from Steve Grubb <[email protected]>
+o Minor Makefile changes to ease tarball and RPM creation
+o Modified the NETLINK communication bits to support the new Generic NETLINK
+  communication mechanism
+
+* Version 0.13 (June 23, 2006)
+------------------------------------------------------------------------------
+o Added some text to the README to explain how to remove any pre-existing
+  NetLabel configuration
+o Added two patches from Klaus Weidner <[email protected]> to add some error
+  messages and better sendmsg() error reporting
+o Fixed some compiler warnings (added -Wall to CFLAGS) on Klaus' recomendation
+
+* Version 0.12 (June 13, 2006)
+------------------------------------------------------------------------------
+o Added support for the new CIPSO_V4_MAP_PASS CIPSO mapping type
+
+* Version 0.11 (June 7, 2006)
+------------------------------------------------------------------------------
+o Corrected a problem with the netlabel.h header file
+
+* Version 0.11 (June 6, 2006)
+------------------------------------------------------------------------------
+o Changed the libnetlabel to reflect changes to the NetLabel protocol
+
+* Version 0.10 (May 1, 2006)
+------------------------------------------------------------------------------
+o Initial version

Makefile

@@ -0,0 +1,90 @@
+#
+# NetLabel Tools Makefile
+#
+# NetLabel Tools are a collection of user space programs and libraries for
+# working with the Linux NetLabel subsystem.  The NetLabel subsystem manages
+# static and dynamic label mappings for network protocols such as CIPSO and
+# RIPSO.
+#
+# Author: Paul Moore <[email protected]>
+#
+
+#
+# (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+#
+# This program is free software;  you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY;  without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+# the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program;  if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+#
+# macros
+#
+
+include macros.mk
+
+#
+# configuration
+#
+
+INSTALL_PREFIX = /usr/local
+
+INSTALL_SBIN_DIR = $(INSTALL_PREFIX)/sbin
+INSTALL_BIN_DIR = $(INSTALL_PREFIX)/bin
+INSTALL_MAN_DIR = $(INSTALL_PREFIX)/share/man
+
+OWNER = root
+GROUP = root
+
+#
+# targets
+#
+
+SUBDIRS = libnetlabel netlabelctl
+
+.PHONY: tarball install clean $(SUBDIRS)
+
+all: $(SUBDIRS)
+
+$(SUBDIRS):
+	@echo "INFO: entering directory $@/ ..."
+	@$(MAKE) -s -C $@
+
+tarball: clean
+	@name=$$(grep "^Name:" netlabel_tools.spec | awk '{ print $$2 }'); \
+	ver=$$(grep "^Version:" netlabel_tools.spec | awk '{ print $$2 }'); \
+	tarball=$$name-$$ver.tar.gz; \
+	echo "INFO: creating the tarball ../$$tarball"; \
+	tmp_dir=$$(mktemp -d /tmp/netlabel_tools.XXXXX); \
+	rel_dir=$$tmp_dir/$$name-$$ver; \
+	mkdir $$rel_dir; \
+	tar cf - . | (cd $$rel_dir; tar xf -); \
+	(cd $$tmp_dir; tar zcf $$tarball $$name-$$ver); \
+	mv $$tmp_dir/$$tarball ..; \
+	rm -rf $$tmp_dir;
+
+install: $(SUBDIRS)
+	@echo "INFO: installing files in $(INSTALL_PREFIX)"
+	@mkdir -p $(INSTALL_SBIN_DIR)
+	@mkdir -p $(INSTALL_MAN_DIR)/man8
+	@install -o $(OWNER) -g $(GROUP) -m 755 netlabelctl/netlabelctl \
+	 $(INSTALL_SBIN_DIR)/netlabelctl
+	@install -o $(OWNER) -g $(GROUP) -m 644 docs/man/netlabelctl.8 \
+	 $(INSTALL_MAN_DIR)/man8
+
+clean:
+	@for dir in $(SUBDIRS); do \
+		echo "INFO: cleaning in $$dir/"; \
+		$(MAKE) -s -C $$dir clean; \
+	done
+

README

@@ -0,0 +1,72 @@
+NetLabel Tools README
+==============================================================================
+Paul Moore <[email protected]>
+
+* Note on the Documentation
+
+The text below is intended as a quick start guide to configuring the Linux
+NetLabel subsystm using the tools provided in this package.  For more
+documentation please look in the "docs/" subdirectory.
+
+* Quick Start
+
+The first step is to compile and install the netlabelctl application.  It
+assumes you are already running a kernel with NetLabel support, if you are not
+please configure your kernel for NetLabel support before going any further.
+Once you have unpacked the NetLabel tools tarball run the following to build
+the application:
+
+ # make
+
+Then as root run the following command to install the required files (installs
+to /usr/local by default):
+
+ # make install
+
+Now you can proceed to configuring the NetLabel system in the kernel.  Before
+you begin you first need to see if your kernel is already configured to some
+extent (it probably is), so run the following commands:
+
+ # netlabelctl -p cipsov4 list
+ # netlabelctl -p map list
+
+If you see any configured CIPSO definitions you can remove them with the
+following command:
+
+ # netlabelctl -p cipsov4 del doi:<DOI>
+
+If you see any domain mappings you can remove them with the following command:
+
+ # netlabelctl -p map del domain:<DOMAIN>
+
+You can remove the default domain mapping with this command:
+
+ # netlabelctl -p map del default
+
+Finally, you set NetLabel to allow or deny incoming unlabeled packets with
+the following command:
+
+ # netlabelctl -p unlbl accept on|off
+
+Now that you have removed any existing NetLabel configuration you can setup a
+basic CIPSO configuration.  The first step is to add a CIPSO/IPv4 definition
+to the kernel.  The command below creates a CIPSO/IPv4 definition using a DOI
+value of 1, the permissive bitmask tag, and three levels and categories both
+mapping straight from the CIPSO values to the local values.
+
+ # netlabelctl cipsov4 add std doi:1 tags:1 levels:0=0,1=1,2=2 \
+   categories:0=0,1=1,2=2
+
+The next step is to tell the NetLabel system to use this CIPSO/IPv4 defintion
+by default.  You do that with the following command:
+
+ # netlabelctl map add default protocol:cipsov4,1
+
+You can verify that everything is configured correctly with the following two
+commands:
+
+ # netlabelctl -p cipsov4 list doi:1
+ # netlabelctl -p map list
+
+For a greater explanation of what these commands do please see the "docs/"
+directory, good luck!

docs/libnetlabel.txt

@@ -0,0 +1,5 @@
+NetLabel Library
+==============================================================================
+Paul Moore <[email protected]>
+
+* TBD

docs/man/netlabelctl.8

@@ -0,0 +1,84 @@
+.TH "netlabelctl" 1 "14 July 2006" "[email protected]" "NetLabel Documentation"
+.SH NAME
+netlabelctl \- NetLabel control utility
+.SH SYNOPSIS
+.B netlabelctl
+[<flags>] <module> [<commands>]
+.SH DESCRIPTION
+.B netlabelctl
+allows privileged users to query and manipulate the NetLabel subsystem within
+the kernel.
+.SH OPTIONS
+.TP
+Flags
+.TP
+.B \-h
+Help message
+.TP
+.B \-p
+Attempt to make the output "pretty"
+.TP
+.B \-t <seconds>
+Set a timeout to be used when waiting for the NetLabel subsystem to respond
+.TP
+.B \-v
+Enable extra output
+.TP
+.B \-V
+Display the version information
+.TP
+Modules
+.TP
+.B mgmt
+The following commands are valid within this module
+.nf
+
+version
+protocols
+.fi
+.TP
+.B map
+The following commands are valid within this module
+.nf
+
+add default|domain:<domain> protocol:<protocol>[,<extra>]
+del default|domain:<domain>
+list
+.fi
+.TP
+.B unlbl
+The following commands are valid within this module
+.nf
+
+accept on|off
+list
+.fi
+.TP
+.B cipsov4
+The following commands are valid within this module
+.nf
+
+add std doi:<DOI> tags:<T1>,<Tn> levels:<LL1>=<RL1>,<LLn>=<RLn>
+        categories:<LC1>=<RC1>,<LCn>=<RCn>
+add pass doi:<DOI> tags:<T1>,<Tn>
+del doi:<DOI>
+list [doi:<DOI>]
+.fi
+.SH "EXAMPLES"
+.TP
+.B netlabelctl cipsov4 add std doi:8 tags:1 levels:0=0,1=1 categories:0=1,1=0
+Add a CIPSO/IPv4 mapping with a DOI value of "8", using CIPSO tag "1"
+(the permissive bitmap tag).  The specified mapping converts local LSM levels
+"0" and "1" to CIPSO levels "0" and "1" respectively while local LSM categories
+"0" and "1" are mapped to CIPSO categories "1" and "0" respectively.
+.TP
+.B netlabelctl map add domain:lsm_specific_string protocol:cipsov4,8
+Add a domain mapping so that all outgoing packets asscoiated with the
+specified LSM domain string will be labeled according to the CIPSO/IPv4
+protocol using DOI 8.
+.SH "NOTES"
+This program is currently under development, please report any bugs to the author.
+.SH "AUTHOR"
+Paul Moore <[email protected]>
+.SH "SEE ALSO"
+<other pages to be created at a future date>