From 295af65518c02563bf1df4752a564f724f35f62e Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Fri, 1 Aug 2025 18:10:37 +0200 Subject: [PATCH] netlabel_tools-0.30.0-21 - Improve "help/usage" message - libnetlabel: fix a header file guard typo - netlabel-config: Fix IPv4/IPv6 addresses parsing in nlbl_reset_unlbl() - netlabel: Update man page to clarify SELinux labeling - tests: add a basic CALIPSO pass through test - doc: fix a typo in the netlabel-config man page Resolves: RHEL-38477 --- ...onfig-better-error-reporting-on-load.patch | 5 +- ...typo-in-the-netlabel-config-man-page.patch | 27 +++++++ ...dd-a-basic-CALIPSO-pass-through-test.patch | 72 +++++++++++++++++++ ...man-page-to-clarify-SELinux-labeling.patch | 64 +++++++++++++++++ ...Fix-IPv4-IPv6-addresses-parsing-in-n.patch | 30 ++++++++ ...etlabel-fix-a-header-file-guard-typo.patch | 26 +++++++ 0007-Improve-help-usage-message.patch | 31 ++++++++ netlabel_tools.spec | 19 ++++- 8 files changed, 271 insertions(+), 3 deletions(-) rename rhbz1683434.patch => 0001-netlabel_config-better-error-reporting-on-load.patch (93%) create mode 100644 0002-doc-fix-a-typo-in-the-netlabel-config-man-page.patch create mode 100644 0003-tests-add-a-basic-CALIPSO-pass-through-test.patch create mode 100644 0004-netlabel-Update-man-page-to-clarify-SELinux-labeling.patch create mode 100644 0005-netlabel-config-Fix-IPv4-IPv6-addresses-parsing-in-n.patch create mode 100644 0006-libnetlabel-fix-a-header-file-guard-typo.patch create mode 100644 0007-Improve-help-usage-message.patch diff --git a/rhbz1683434.patch b/0001-netlabel_config-better-error-reporting-on-load.patch similarity index 93% rename from rhbz1683434.patch rename to 0001-netlabel_config-better-error-reporting-on-load.patch index d8aeae1..f484e26 100644 --- a/rhbz1683434.patch +++ b/0001-netlabel_config-better-error-reporting-on-load.patch @@ -1,4 +1,4 @@ -From 578a65904ff6426c01d81826873d27d0af35f355 Mon Sep 17 00:00:00 2001 +From dee9c1125bd6abf7cf8763a926307283100137c6 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Sun, 17 Mar 2019 17:13:55 -0400 Subject: [PATCH] netlabel_config: better error reporting on load @@ -36,3 +36,6 @@ index 717d795..15c74f7 100755 done < "$CFG_FILE" return $ret_rc +-- +2.49.0 + diff --git a/0002-doc-fix-a-typo-in-the-netlabel-config-man-page.patch b/0002-doc-fix-a-typo-in-the-netlabel-config-man-page.patch new file mode 100644 index 0000000..1a2e4b8 --- /dev/null +++ b/0002-doc-fix-a-typo-in-the-netlabel-config-man-page.patch @@ -0,0 +1,27 @@ +From ecc0b5c87d71dfb0a47a2cdec18f35634ecc2cb6 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Wed, 4 Mar 2020 16:20:02 -0500 +Subject: [PATCH] doc: fix a typo in the netlabel-config man page + +Reported-by: choman@gmail.com +Signed-off-by: Paul Moore +--- + doc/man/man8/netlabel-config.8 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/man/man8/netlabel-config.8 b/doc/man/man8/netlabel-config.8 +index 02f922e..8b2a4c0 100644 +--- a/doc/man/man8/netlabel-config.8 ++++ b/doc/man/man8/netlabel-config.8 +@@ -6,7 +6,7 @@ netlabel-config \- NetLabel configuration utility + .\" ////////////////////////////////////////////////////////////////////////// + .SH SYNOPSIS + .\" ////////////////////////////////////////////////////////////////////////// +-.B netlabelctl ++.B netlabel-config + reset| load + .\" ////////////////////////////////////////////////////////////////////////// + .SH DESCRIPTION +-- +2.49.0 + diff --git a/0003-tests-add-a-basic-CALIPSO-pass-through-test.patch b/0003-tests-add-a-basic-CALIPSO-pass-through-test.patch new file mode 100644 index 0000000..f61ad02 --- /dev/null +++ b/0003-tests-add-a-basic-CALIPSO-pass-through-test.patch @@ -0,0 +1,72 @@ +From 3b77fb8f3ee77244edb256cf51029aa445d7aac4 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Wed, 3 Mar 2021 17:45:02 -0500 +Subject: [PATCH] tests: add a basic CALIPSO pass through test + +Signed-off-by: Paul Moore +--- + tests/09-calipso_pass.tests | 52 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 52 insertions(+) + create mode 100755 tests/09-calipso_pass.tests + +diff --git a/tests/09-calipso_pass.tests b/tests/09-calipso_pass.tests +new file mode 100755 +index 0000000..0de1d15 +--- /dev/null ++++ b/tests/09-calipso_pass.tests +@@ -0,0 +1,52 @@ ++#!/bin/bash ++ ++# ++# NetLabel Tools test script ++# ++ ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of version 2 of the GNU General Public License as ++# published by the Free Software Foundation. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++function doi_remove() { ++ local rc=1 ++ while [[ $rc -ne 0 && $rc -lt 3 ]]; do ++ $GLBL_NETLABELCTL calipso del doi:$1 ++ [[ $? -ne 0 ]] && rc=$(($rc+1)) || rc=0 ++ sleep 1 ++ done ++ [[ $rc -ne 0 ]] && exit 1 ++} ++ ++# add the DOIs ++$GLBL_NETLABELCTL calipso add pass doi:100 ++[[ $? -ne 0 ]] && exit 1 ++$GLBL_NETLABELCTL calipso add pass doi:101 ++[[ $? -ne 0 ]] && exit 1 ++$GLBL_NETLABELCTL calipso add pass doi:102 ++[[ $? -ne 0 ]] && exit 1 ++ ++# verify the DOIs ++[[ "$($GLBL_NETLABELCTL calipso list doi:100)" != "type:PASS_THROUGH" ]] \ ++ && exit 1 ++[[ "$($GLBL_NETLABELCTL calipso list doi:101)" != "type:PASS_THROUGH" ]] \ ++ && exit 1 ++[[ "$($GLBL_NETLABELCTL calipso list doi:102)" != "type:PASS_THROUGH" ]] \ ++ && exit 1 ++ ++# remove the DOIs ++doi_remove 100 ++doi_remove 101 ++doi_remove 102 ++ ++exit 0 +-- +2.49.0 + diff --git a/0004-netlabel-Update-man-page-to-clarify-SELinux-labeling.patch b/0004-netlabel-Update-man-page-to-clarify-SELinux-labeling.patch new file mode 100644 index 0000000..d4bb79d --- /dev/null +++ b/0004-netlabel-Update-man-page-to-clarify-SELinux-labeling.patch @@ -0,0 +1,64 @@ +From 633035271a106830f412f2888b491b157ae6036e Mon Sep 17 00:00:00 2001 +From: Richard Haines +Date: Tue, 16 Nov 2021 16:38:38 +0000 +Subject: [PATCH] netlabel: Update man page to clarify SELinux labeling + +Clarify how SELinux setsockcreatecon(3) and policy socket* class +type_transition rules can impact domain: entries. + +Signed-off-by: Richard Haines +Signed-off-by: Paul Moore +--- + doc/man/man8/netlabelctl.8 | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/doc/man/man8/netlabelctl.8 b/doc/man/man8/netlabelctl.8 +index bb00096..2a7852b 100644 +--- a/doc/man/man8/netlabelctl.8 ++++ b/doc/man/man8/netlabelctl.8 +@@ -57,7 +57,9 @@ Display the kernel's list of supported labeling protocols. + The domain mapping module is used to map different NetLabel labeling protocols + to either individual LSM domains or the default domain mapping. It is up to + each LSM to determine what defines a domain. With SELinux, the normal SELinux +-domain should be used, i.e. "ping_t". In addition to protocol selection based ++domain should be used, i.e. "ping_t" (however see the ++.B NOTES ++section below regarding SElinux). In addition to protocol selection based + only on the LSM domain, it is also possible to select the labeling protocol + based on both the LSM domain and destination address. The network address + selectors can specify either single hosts or entire networks and work for both +@@ -259,6 +261,31 @@ The static, or fallback, labels are only supported on Linux Kernels version + Linux Kernels 2.6.28 and later and CALIPSO/RFC5570 is only supported on Linux + Kernels 4.8.0 and later. + .P ++When using the SELinux LSM, it is generally assumed that the ++.I type ++component of the process security label should be used as the ++.I domain: ++entry. However, NetLabel services actually use the socket security label to ++determine labeling. Normally this would be the same ++.I type ++component as the process (as by default the socket inherits the process ++label). There are cases where this matters, as it is possible with SELinux ++to set a different label on the socket using the libselinux function ++.BR setsockcreatecon (3), ++or a policy socket* class ++.I type_transition ++rule. Should these be used to change a socket label, then the new socket ++.I type ++must be used in the ++.I domain: ++entry instead. ++If fallback labeling is configured and a new socket label is set on the ++client, the server will show that label when ++.BR getsockopt (2) ++with ++.I optname=SO_PEERSEC ++is called. ++.P + The NetLabel project site, with more information including the source code + repository, can be found at https://github.com/netlabel. Please report any + bugs at the project site or directly to the author. +-- +2.49.0 + diff --git a/0005-netlabel-config-Fix-IPv4-IPv6-addresses-parsing-in-n.patch b/0005-netlabel-config-Fix-IPv4-IPv6-addresses-parsing-in-n.patch new file mode 100644 index 0000000..2d731fc --- /dev/null +++ b/0005-netlabel-config-Fix-IPv4-IPv6-addresses-parsing-in-n.patch @@ -0,0 +1,30 @@ +From baa737bea55071a67879baee07f0be49fb2368e1 Mon Sep 17 00:00:00 2001 +From: Hubert Quarantel-Colombani +Date: Sun, 12 Dec 2021 08:31:56 +0100 +Subject: [PATCH] netlabel-config: Fix IPv4/IPv6 addresses parsing in + nlbl_reset_unlbl() + +Make cut retrieve the complete IPv6 address. + +Signed-off-by: Hubert Quarantel-Colombani +Signed-off-by: Paul Moore +--- + netlabelctl/netlabel-config | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/netlabelctl/netlabel-config b/netlabelctl/netlabel-config +index 15c74f7..dcb77d4 100755 +--- a/netlabelctl/netlabel-config ++++ b/netlabelctl/netlabel-config +@@ -37,7 +37,7 @@ function nlbl_reset_unlbl() { + [[ "$(echo $i | cut -d':' -f 1)" == "accept" ]] && continue + + local iface=$(echo $i | cut -d',' -f 1 | cut -d':' -f 2) +- local addr=$(echo $i | cut -d',' -f 2 | cut -d':' -f 2) ++ local addr=$(echo $i | cut -d',' -f 2 | cut -d':' -f 2-) + if [[ "$iface" == "DEFAULT" ]]; then + netlabelctl unlbl del default address:$addr + else +-- +2.49.0 + diff --git a/0006-libnetlabel-fix-a-header-file-guard-typo.patch b/0006-libnetlabel-fix-a-header-file-guard-typo.patch new file mode 100644 index 0000000..6c565f2 --- /dev/null +++ b/0006-libnetlabel-fix-a-header-file-guard-typo.patch @@ -0,0 +1,26 @@ +From 6bc161a78f82120744c5d0450745474690d71bcc Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Tue, 4 Feb 2025 10:19:34 -0500 +Subject: [PATCH] libnetlabel: fix a header file guard typo + +Signed-off-by: Paul Moore +--- + libnetlabel/netlabel_internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libnetlabel/netlabel_internal.h b/libnetlabel/netlabel_internal.h +index a472274..6f66cd6 100644 +--- a/libnetlabel/netlabel_internal.h ++++ b/libnetlabel/netlabel_internal.h +@@ -22,7 +22,7 @@ + * + */ + +-#ifndef _NETLINK_COMM_H ++#ifndef _NETLINK_COMM_H_ + #define _NETLINK_COMM_H_ + + #include +-- +2.49.0 + diff --git a/0007-Improve-help-usage-message.patch b/0007-Improve-help-usage-message.patch new file mode 100644 index 0000000..6ce152a --- /dev/null +++ b/0007-Improve-help-usage-message.patch @@ -0,0 +1,31 @@ +From 944411478ab51d5d8ac7f4e52658ade4eb6a3aa1 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 1 Aug 2025 12:50:24 +0200 +Subject: [PATCH] Improve "help/usage" message + +- Document the -V option +- Add more info to the -t option + +Signed-off-by: Vit Mojzis +--- + netlabelctl/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/netlabelctl/main.c b/netlabelctl/main.c +index 0aa1d56..fa4a983 100644 +--- a/netlabelctl/main.c ++++ b/netlabelctl/main.c +@@ -89,8 +89,9 @@ static void nlctl_help_print(FILE *fp) + " Flags:\n" + " -h : help/usage message\n" + " -p : make the output pretty\n" +- " -t : timeout\n" ++ " -t : set a timeout for NetLabel subsystem response\n" + " -v : verbose mode\n" ++ " -V : display version information\n" + "\n" + " Modules and Commands:\n" + " mgmt : NetLabel management\n" +-- +2.49.0 + diff --git a/netlabel_tools.spec b/netlabel_tools.spec index c864c76..863029b 100644 --- a/netlabel_tools.spec +++ b/netlabel_tools.spec @@ -1,11 +1,18 @@ Summary: Tools to manage the Linux NetLabel subsystem Name: netlabel_tools Version: 0.30.0 -Release: 20%{?dist} +Release: 21%{?dist} License: GPL-2.0-only URL: https://github.com/netlabel/netlabel_tools Source: https://github.com/netlabel/netlabel_tools/releases/download/v%{version}/%{name}-%{version}.tar.gz -Patch0: rhbz1683434.patch +# git format-patch -N v0.30.0 -- +Patch0001: 0001-netlabel_config-better-error-reporting-on-load.patch +Patch0002: 0002-doc-fix-a-typo-in-the-netlabel-config-man-page.patch +Patch0003: 0003-tests-add-a-basic-CALIPSO-pass-through-test.patch +Patch0004: 0004-netlabel-Update-man-page-to-clarify-SELinux-labeling.patch +Patch0005: 0005-netlabel-config-Fix-IPv4-IPv6-addresses-parsing-in-n.patch +Patch0006: 0006-libnetlabel-fix-a-header-file-guard-typo.patch +Patch0007: 0007-Improve-help-usage-message.patch Requires: libnl3 Requires(post): systemd @@ -66,6 +73,14 @@ make V=1 DESTDIR="%{buildroot}" install %attr(0644,root,root) %config(noreplace) /etc/netlabel.rules %changelog +* Fri Aug 01 2025 Vit Mojzis - 0.30.0-21 +- Improve "help/usage" message (RHEL-38477) +- libnetlabel: fix a header file guard typo +- netlabel-config: Fix IPv4/IPv6 addresses parsing in nlbl_reset_unlbl() +- netlabel: Update man page to clarify SELinux labeling +- tests: add a basic CALIPSO pass through test +- doc: fix a typo in the netlabel-config man page + * Tue Oct 29 2024 Troy Dawson - 0.30.0-20 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018