netlabel_tools-0.30.0-21

- Improve "help/usage" message
- libnetlabel: fix a header file guard typo
- netlabel-config: Fix IPv4/IPv6 addresses parsing in nlbl_reset_unlbl()
- netlabel: Update man page to clarify SELinux labeling
- tests: add a basic CALIPSO pass through test
- doc: fix a typo in the netlabel-config man page

Resolves: RHEL-38477

0001-netlabel_config-better-error-reporting-on-load.patch

@@ -1,4 +1,4 @@
-From 578a65904ff6426c01d81826873d27d0af35f355 Mon Sep 17 00:00:00 2001
+From dee9c1125bd6abf7cf8763a926307283100137c6 Mon Sep 17 00:00:00 2001
 From: Paul Moore <paul@paul-moore.com>
 Date: Sun, 17 Mar 2019 17:13:55 -0400
 Subject: [PATCH] netlabel_config: better error reporting on load
@@ -36,3 +36,6 @@ index 717d795..15c74f7 100755
  	done < "$CFG_FILE"
  
  	return $ret_rc
+-- 
+2.49.0
+

0002-doc-fix-a-typo-in-the-netlabel-config-man-page.patch

@@ -0,0 +1,27 @@
+From ecc0b5c87d71dfb0a47a2cdec18f35634ecc2cb6 Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Wed, 4 Mar 2020 16:20:02 -0500
+Subject: [PATCH] doc: fix a typo in the netlabel-config man page
+
+Reported-by: choman@gmail.com
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ doc/man/man8/netlabel-config.8 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/man/man8/netlabel-config.8 b/doc/man/man8/netlabel-config.8
+index 02f922e..8b2a4c0 100644
+--- a/doc/man/man8/netlabel-config.8
++++ b/doc/man/man8/netlabel-config.8
+@@ -6,7 +6,7 @@ netlabel-config \- NetLabel configuration utility
+ .\" //////////////////////////////////////////////////////////////////////////
+ .SH SYNOPSIS
+ .\" //////////////////////////////////////////////////////////////////////////
+-.B netlabelctl
++.B netlabel-config
+ reset| load
+ .\" //////////////////////////////////////////////////////////////////////////
+ .SH DESCRIPTION
+-- 
+2.49.0
+

0003-tests-add-a-basic-CALIPSO-pass-through-test.patch

@@ -0,0 +1,72 @@
+From 3b77fb8f3ee77244edb256cf51029aa445d7aac4 Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Wed, 3 Mar 2021 17:45:02 -0500
+Subject: [PATCH] tests: add a basic CALIPSO pass through test
+
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ tests/09-calipso_pass.tests | 52 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 52 insertions(+)
+ create mode 100755 tests/09-calipso_pass.tests
+
+diff --git a/tests/09-calipso_pass.tests b/tests/09-calipso_pass.tests
+new file mode 100755
+index 0000000..0de1d15
+--- /dev/null
++++ b/tests/09-calipso_pass.tests
+@@ -0,0 +1,52 @@
++#!/bin/bash
++
++#
++# NetLabel Tools test script
++#
++
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of version 2 of the GNU General Public License as
++# published by the Free Software Foundation.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++#
++
++function doi_remove() {
++	local rc=1
++	while [[ $rc -ne 0 && $rc -lt 3 ]]; do
++		$GLBL_NETLABELCTL calipso del doi:$1
++		[[ $? -ne 0 ]] && rc=$(($rc+1)) || rc=0
++		sleep 1
++	done
++	[[ $rc -ne 0 ]] && exit 1
++}
++
++# add the DOIs
++$GLBL_NETLABELCTL calipso add pass doi:100
++[[ $? -ne 0 ]] && exit 1
++$GLBL_NETLABELCTL calipso add pass doi:101
++[[ $? -ne 0 ]] && exit 1
++$GLBL_NETLABELCTL calipso add pass doi:102
++[[ $? -ne 0 ]] && exit 1
++
++# verify the DOIs
++[[ "$($GLBL_NETLABELCTL calipso list doi:100)" != "type:PASS_THROUGH" ]] \
++	&& exit 1
++[[ "$($GLBL_NETLABELCTL calipso list doi:101)" != "type:PASS_THROUGH" ]] \
++	&& exit 1
++[[ "$($GLBL_NETLABELCTL calipso list doi:102)" != "type:PASS_THROUGH" ]] \
++	&& exit 1
++
++# remove the DOIs
++doi_remove 100
++doi_remove 101
++doi_remove 102
++
++exit 0
+-- 
+2.49.0
+

0004-netlabel-Update-man-page-to-clarify-SELinux-labeling.patch

@@ -0,0 +1,64 @@
+From 633035271a106830f412f2888b491b157ae6036e Mon Sep 17 00:00:00 2001
+From: Richard Haines <richard_c_haines@btinternet.com>
+Date: Tue, 16 Nov 2021 16:38:38 +0000
+Subject: [PATCH] netlabel: Update man page to clarify SELinux labeling
+
+Clarify how SELinux setsockcreatecon(3) and policy socket* class
+type_transition rules can impact domain:<domain> entries.
+
+Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ doc/man/man8/netlabelctl.8 | 29 ++++++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/doc/man/man8/netlabelctl.8 b/doc/man/man8/netlabelctl.8
+index bb00096..2a7852b 100644
+--- a/doc/man/man8/netlabelctl.8
++++ b/doc/man/man8/netlabelctl.8
+@@ -57,7 +57,9 @@ Display the kernel's list of supported labeling protocols.
+ The domain mapping module is used to map different NetLabel labeling protocols
+ to either individual LSM domains or the default domain mapping.  It is up to
+ each LSM to determine what defines a domain.  With SELinux, the normal SELinux
+-domain should be used, i.e. "ping_t".  In addition to protocol selection based
++domain should be used, i.e. "ping_t" (however see the
++.B NOTES
++section below regarding SElinux).  In addition to protocol selection based
+ only on the LSM domain, it is also possible to select the labeling protocol
+ based on both the LSM domain and destination address.  The network address
+ selectors can specify either single hosts or entire networks and work for both
+@@ -259,6 +261,31 @@ The static, or fallback, labels are only supported on Linux Kernels version
+ Linux Kernels 2.6.28 and later and CALIPSO/RFC5570 is only supported on Linux
+ Kernels 4.8.0 and later.
+ .P
++When using the SELinux LSM, it is generally assumed that the
++.I type
++component of the process security label should be used as the
++.I domain:<domain>
++entry. However, NetLabel services actually use the socket security label to
++determine labeling.  Normally this would be the same
++.I type
++component as the process (as by default the socket inherits the process
++label).  There are cases where this matters, as it is possible with SELinux
++to set a different label on the socket using the libselinux function
++.BR setsockcreatecon (3),
++or a policy socket* class
++.I type_transition
++rule.  Should these be used to change a socket label, then the new socket
++.I type
++must be used in the
++.I domain:<domain>
++entry instead.
++If fallback labeling is configured and a new socket label is set on the
++client, the server will show that label when
++.BR getsockopt (2)
++with
++.I optname=SO_PEERSEC
++is called.
++.P
+ The NetLabel project site, with more information including the source code
+ repository, can be found at https://github.com/netlabel.  Please report any
+ bugs at the project site or directly to the author.
+-- 
+2.49.0
+

0005-netlabel-config-Fix-IPv4-IPv6-addresses-parsing-in-n.patch

@@ -0,0 +1,30 @@
+From baa737bea55071a67879baee07f0be49fb2368e1 Mon Sep 17 00:00:00 2001
+From: Hubert Quarantel-Colombani <hubert.quarantel@ing.com>
+Date: Sun, 12 Dec 2021 08:31:56 +0100
+Subject: [PATCH] netlabel-config: Fix IPv4/IPv6 addresses parsing in
+ nlbl_reset_unlbl()
+
+Make cut retrieve the complete IPv6 address.
+
+Signed-off-by: Hubert Quarantel-Colombani <hubert@quarantel.name>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ netlabelctl/netlabel-config | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/netlabelctl/netlabel-config b/netlabelctl/netlabel-config
+index 15c74f7..dcb77d4 100755
+--- a/netlabelctl/netlabel-config
++++ b/netlabelctl/netlabel-config
+@@ -37,7 +37,7 @@ function nlbl_reset_unlbl() {
+ 		[[ "$(echo $i | cut -d':' -f 1)" == "accept" ]] && continue
+ 
+ 		local iface=$(echo $i | cut -d',' -f 1 | cut -d':' -f 2)
+-		local addr=$(echo $i | cut -d',' -f 2 | cut -d':' -f 2)
++		local addr=$(echo $i | cut -d',' -f 2 | cut -d':' -f 2-)
+ 		if [[ "$iface" == "DEFAULT" ]]; then
+ 			netlabelctl unlbl del default address:$addr
+ 		else
+-- 
+2.49.0
+

0006-libnetlabel-fix-a-header-file-guard-typo.patch

@@ -0,0 +1,26 @@
+From 6bc161a78f82120744c5d0450745474690d71bcc Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Tue, 4 Feb 2025 10:19:34 -0500
+Subject: [PATCH] libnetlabel: fix a header file guard typo
+
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ libnetlabel/netlabel_internal.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libnetlabel/netlabel_internal.h b/libnetlabel/netlabel_internal.h
+index a472274..6f66cd6 100644
+--- a/libnetlabel/netlabel_internal.h
++++ b/libnetlabel/netlabel_internal.h
+@@ -22,7 +22,7 @@
+  *
+  */
+ 
+-#ifndef _NETLINK_COMM_H
++#ifndef _NETLINK_COMM_H_
+ #define _NETLINK_COMM_H_
+ 
+ #include <netlink/netlink.h>
+-- 
+2.49.0
+

0007-Improve-help-usage-message.patch

@@ -0,0 +1,31 @@
+From 944411478ab51d5d8ac7f4e52658ade4eb6a3aa1 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 1 Aug 2025 12:50:24 +0200
+Subject: [PATCH] Improve "help/usage" message
+
+- Document the -V option
+- Add more info to the -t option
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ netlabelctl/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/netlabelctl/main.c b/netlabelctl/main.c
+index 0aa1d56..fa4a983 100644
+--- a/netlabelctl/main.c
++++ b/netlabelctl/main.c
+@@ -89,8 +89,9 @@ static void nlctl_help_print(FILE *fp)
+ 		" Flags:\n"
+ 		"   -h        : help/usage message\n"
+ 		"   -p        : make the output pretty\n"
+-		"   -t <secs> : timeout\n"
++		"   -t <secs> : set a timeout for NetLabel subsystem response\n"
+ 		"   -v        : verbose mode\n"
++		"   -V        : display version information\n"
+ 		"\n"
+ 		" Modules and Commands:\n"
+ 		"  mgmt : NetLabel management\n"
+-- 
+2.49.0
+

netlabel_tools.spec

@@ -1,11 +1,18 @@
 Summary: Tools to manage the Linux NetLabel subsystem
 Name: netlabel_tools
 Version: 0.30.0
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPL-2.0-only
 URL: https://github.com/netlabel/netlabel_tools
 Source: https://github.com/netlabel/netlabel_tools/releases/download/v%{version}/%{name}-%{version}.tar.gz
-Patch0: rhbz1683434.patch
+# git format-patch -N v0.30.0 --
+Patch0001: 0001-netlabel_config-better-error-reporting-on-load.patch
+Patch0002: 0002-doc-fix-a-typo-in-the-netlabel-config-man-page.patch
+Patch0003: 0003-tests-add-a-basic-CALIPSO-pass-through-test.patch
+Patch0004: 0004-netlabel-Update-man-page-to-clarify-SELinux-labeling.patch
+Patch0005: 0005-netlabel-config-Fix-IPv4-IPv6-addresses-parsing-in-n.patch
+Patch0006: 0006-libnetlabel-fix-a-header-file-guard-typo.patch
+Patch0007: 0007-Improve-help-usage-message.patch
 
 Requires: libnl3
 Requires(post): systemd
@@ -66,6 +73,14 @@ make V=1 DESTDIR="%{buildroot}" install
 %attr(0644,root,root) %config(noreplace) /etc/netlabel.rules
 
 %changelog
+* Fri Aug 01 2025 Vit Mojzis <vmojzis@redhat.com> - 0.30.0-21
+- Improve "help/usage" message (RHEL-38477)
+- libnetlabel: fix a header file guard typo
+- netlabel-config: Fix IPv4/IPv6 addresses parsing in nlbl_reset_unlbl()
+- netlabel: Update man page to clarify SELinux labeling
+- tests: add a basic CALIPSO pass through test
+- doc: fix a typo in the netlabel-config man page
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.30.0-20
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018