aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/netlabel/introduction.txt
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2006-08-03 19:45:49 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:31 -0400
commit8802f616f6de8576805f32e47602816f141118f2 (patch)
tree0763c745b3b09ebb085b7d8625447e284a5650de /Documentation/netlabel/introduction.txt
parenta51c64f1e5c2876eab2a32955acd9e8015c91c15 (diff)
[NetLabel]: documentation
Documentation for the NetLabel system, this includes a basic overview of how NetLabel works, how LSM developers can integrate it into their favorite LSM, as well as documentation on the CIPSO related sysctl variables. Also, due to the difficulty of finding expired IETF drafts, I am including the IETF CIPSO draft that is the basis of the NetLabel CIPSO implementation. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'Documentation/netlabel/introduction.txt')
-rw-r--r--Documentation/netlabel/introduction.txt46
1 files changed, 46 insertions, 0 deletions
diff --git a/Documentation/netlabel/introduction.txt b/Documentation/netlabel/introduction.txt
new file mode 100644
index 000000000000..a4ffba1694c8
--- /dev/null
+++ b/Documentation/netlabel/introduction.txt
@@ -0,0 +1,46 @@
1NetLabel Introduction
2==============================================================================
3Paul Moore, paul.moore@hp.com
4
5August 2, 2006
6
7 * Overview
8
9NetLabel is a mechanism which can be used by kernel security modules to attach
10security attributes to outgoing network packets generated from user space
11applications and read security attributes from incoming network packets. It
12is composed of three main components, the protocol engines, the communication
13layer, and the kernel security module API.
14
15 * Protocol Engines
16
17The protocol engines are responsible for both applying and retrieving the
18network packet's security attributes. If any translation between the network
19security attributes and those on the host are required then the protocol
20engine will handle those tasks as well. Other kernel subsystems should
21refrain from calling the protocol engines directly, instead they should use
22the NetLabel kernel security module API described below.
23
24Detailed information about each NetLabel protocol engine can be found in this
25directory, consult '00-INDEX' for filenames.
26
27 * Communication Layer
28
29The communication layer exists to allow NetLabel configuration and monitoring
30from user space. The NetLabel communication layer uses a message based
31protocol built on top of the Generic NETLINK transport mechanism. The exact
32formatting of these NetLabel messages as well as the Generic NETLINK family
33names can be found in the the 'net/netlabel/' directory as comments in the
34header files as well as in 'include/net/netlabel.h'.
35
36 * Security Module API
37
38The purpose of the NetLabel security module API is to provide a protocol
39independent interface to the underlying NetLabel protocol engines. In addition
40to protocol independence, the security module API is designed to be completely
41LSM independent which should allow multiple LSMs to leverage the same code
42base.
43
44Detailed information about the NetLabel security module API can be found in the
45'include/net/netlabel.h' header file as well as the 'lsm_interface.txt' file
46found in this directory.